Source: Known reputed Security Agencies/Reports/Articles
Sector: All – including Government agencies
Reported by: ARS Technica Blog post and Lenovo Support CVE: CVE-2022-1890, CVE-2022-1891 and CVE-2022-1892
DATE(S) ISSUED: 07/13/2022
SUBJECT: Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models
OVERVIEW:
The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. THREAT INTELLIGENCE: Per recent updates on Lenovo, the vulnerability is actively being exploited in attacks – targets are unknown now.
SYSTEMS AFFECTED: • Laptop model lines are: • Yoga • ThinkBook • IdeaPad • ThinkPad
RISK: Government and their entities: High Impact Businesses and their entities: High Impact
TECHNICAL SUMMARY:
Lenovo has assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers, respectively. CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. RECOMMENDATIONS: