Lenovo has warned owners of its laptops that more than 70 models have security holes that allow arbitrary code execution through UEFI/BIOS.
In total, ESET security researchers identified three vulnerabilities that allow attackers with local access to execute arbitrary code when the buffer overflows. According to Lenovo, only one of them (CVE-2022-1892) affects all models, while the other two affect only a few models.
“The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features,” ESET explained. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”
In addition, Lenovo warns about Retbleed, a new speculative attack that affects devices with Intel and AMD processors. Also, many models that use XClarity Controller to manage the server also have vulnerabilities.
Firmware vulnerabilities are not uncommon. While some are specific to one vendor’s products, researchers have also found vulnerabilities in third-party components used by multiple vendors.
For example, firmware security company Binarly recently discovered nearly two dozen vulnerabilities in the InsydeH2O UEFI code used by more than 25 vendors, including HP, Lenovo, Fujitsu, Microsoft, Intel, Dell, Bull, and Siemens.
Although Insyde Software patched the vulnerabilities after Binarly reported, it may take some time for the corrections to be adopted by manufacturers and reach millions of end users. The manufacturer of modular and upgradable laptops Framework only recently informed customers about the availability of fixes for these flaws.