Martin Smolár, a security researcher from ESET, has disclosed 3 buffer overflow vulnerabilities in Lenovo BIOS. The vulnerability is impacting multiple Lenovo Notebook devices including several ThinkBook models leaving millions of laptops vulnerable. These vulnerabilities enable advisories to hijack the OS execution flow and disable some important security features on the affected devices. This helps threat actors to achieve arbitrary code execution in the early phases of the platform boot. It is highly important for all the Lenovo Laptop holders to be aware of these three buffer overflow vulnerabilities. We created this post that tells how to fix these three buffer overflow vulnerabilities in Lenovo BIOS.
The vendor has published advisory for the second time since the beginning of the year. The first set of three vulnerabilities Lenovo fixed are CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, vulnerabilities enable advisories to deploy and execute malicious firmware on the affected devices.
A Small Note On UEFI vs BIOS:
Sometimes, you may get confused between UEFI and BIOS. Here is a small note that lets you know the difference between UEFI and BIOS in simple words.
UEFI stands for Unified Extensible Firmware Interface and is essentially a software program that sits on top of your computer’s hardware and provides an interface between the operating system and the hardware. UEFI is the successor to BIOS, offering a more modern interface as well as additional features and capabilities.
BIOS, on the other hand, stands for Basic Input/Output System. It is a ROM chip that stores information about your computer’s hardware and how it should be configured. The BIOS is responsible for booting up your computer, and it generally does not offer as many features or capabilities as UEFI.
So, UEFI is a more modern version of BIOS that offers additional features and capabilities. It is not required on all computers, but it is becoming more common. If your computer has UEFI, you will likely see a UEFI options menu when you boot up the computer that will allow you to change UEFI settings.
The Three Buffer Overflow Vulnerabilities In Lenovo BIOS:
On July 13, 2022, Martin Smolár, a security researcher from ESET tweeted about the three flaws to the PC manufacturer. The following is a summary of the three buffer overflow vulnerabilities as outlined by Lenovo.
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6— ESET Research (@ESETresearch) July 13, 2022
CVE-2022-1890: This is a buffer overflow vulnerability in the ReadyBootDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the ReadyBootDxe driver resulting in a buffer overflow.
CVE-2022-1891: This is a buffer overflow vulnerability in the SystemLoadDefaultDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemLoadDefaultDxe driver resulting in a buffer overflow.
CVE-2022-1892: This is a buffer overflow vulnerability in the SystemBootManagerDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemBootManagerDxe driver resulting in a buffer overflow.
How To Fix The Three Buffer Overflow Vulnerabilities In Lenovo BIOS?
Upgrading the BIOS firmware is the best way to fix these new vulnerabilities in Lenovo Laptops.BIOS can be updated in three different ways in Lenovo Laptops.
Method 1: Automatic Update
Update Lenovo drivers, BIOS, and applications using Lenovo System Update. Lenovo System Update is the latest program that can be used to update your Lenovo laptop drivers and other software. It can also detect when there are new versions of the BIOS and automatically install them.
To check if your Lenovo laptop has this feature, go to Start Menu > Control Panel > System and Security. Click on “System” and then click on “Advanced system settings.” On the left panel, click on “Advanced” and then click on “Update BIOS.”
If you see the “Update BIOS” option, your Lenovo laptop has the Lenovo System Update feature. If you don’t see this option, your Laptop doesn’t have this feature, and you’ll need to install the BIOS updates manually.
Method 2: WinFlash
- Download the most recent BIOS to your Windows desktop for easier usage. To locate and download the BIOS, follow these steps: Open the Lenovo support website (support.lenovo.com).
- Enter the system machine type or product name. On the product page, click Drivers & Software. Filter by BIOS/UEFI, and choose the corresponding OS information.
- Follow the instructions in the readme file to download and install the BIOS. Right-click on the BIOS flash package and select Run as administrator.
- A self-extracting window will appear on Windows, and you should click the Install button. Then click on the Flash BIOS button. A caution screen will appear to notify users to connect the system’s power outlet and supply additional flash information.
- Select the OK button. The BIOS update flashing program will automatically run. Please wait until the BIOS update flashing program has finished installation. When the BIOS update is completed, your computer reboots automatically.
Method 3: Update BIOS From Windows
Updating BIOS from Windows is simple and straight. Steps to update system BIOS in Lenovo Laptops:
- Visit the official Lenovo website and download the BIOS update file.
- Extract the downloaded file to a folder on your computer.
- Double-click on the extracted BIOS file to launch the update process.
- Follow the on-screen instructions to complete the BIOS update process.
- Restart your computer and check if the BIOS update is successful.
See Also How To Set Up A Certificate Authority On Ubuntu Using OpenSSL?
These are the steps to update the system BIOS in Lenovo Laptops. Following these steps should help you update your BIOS successfully. In case you face any issues, please reach out to the Lenovo support team for assistance.
List Of Lenovo Laptops Vulnerable To CVE-2022-1890, CVE-2022-1891, And CVE-2022-1892:
Lenovo has verified its Laptop modules and published the vulnerable models in its advisory report. Please don’t miss seeing the list from here. Click here for a complete list of all Lenovo Product Security Advisories.
| Product | Component | CVE-2022-1890 | CVE-2022-1891 | CVE-2022-1892 |
| 100e 2nd Gen Notebook (Lenovo) (Type 82GJ) | BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) | Not Affected | Not Affected | FRCN23WW |
| 100w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 | Not Affected | Not Affected | GACN38WW |
| 13w Yoga (Type 82S1, 82S2) Laptop (Lenovo) | BIOS Update Utility for Windows 11 (Version 21H2 or later), 10 (Version 21H2 or later) – Lenovo 13w Yoga (Type 82S1, 82S2) | Not Affected | Not Affected | JACN31WW |
| 14W Gen 2 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 14W Gen 2 | Not Affected | Not Affected | H0CN21WW |
| 300e 2nd Gen Notebook (Lenovo) (Type 82GK) | BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) | Not Affected | Not Affected | FRCN23WW |
| 300w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 | Not Affected | Not Affected | GACN38WW |
| 500w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 500w Gen 3 | Not Affected | Not Affected | G6CN40WW |
| 730S-13IML Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML | Not Affected | Not Affected | BRCN20WW |
| Flex 3-11ADA05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 3-11ADA05 | Not Affected | Not Affected | FPCN26WW |
| Flex 5-14ALC05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 | Not Affected | Not Affected | GJCN27WW |
| Flex 5-14ARE05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ARE05 | Not Affected | Not Affected | EECN39WW |
| Flex 5-14IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 | Not Affected | Not Affected | ECCN40WW |
| Flex 5-14ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 | Not Affected | Not Affected | FXCN38WW |
| Flex 5-15ALC05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 | Not Affected | Not Affected | GJCN27WW |
| Flex 5-15IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 | Not Affected | Not Affected | ECCN40WW |
| Flex 5-15ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 | Not Affected | Not Affected | FXCN38WW |
| IdeaPad 1-11ADA05 Laptop | BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 | Not Affected | Not Affected | FQCN26WW |
| IdeaPad 1-11IGL05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 | Not Affected | Not Affected | DWCN24WW |
| IdeaPad 1-14ADA05 Laptop | BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 | Not Affected | Not Affected | FQCN26WW |
| IdeaPad 1-14IGL05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 | Not Affected | Not Affected | DWCN24WW |
| IdeaPad 3 15ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
| IdeaPad 3-14ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
| IdeaPad 3-14ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
| IdeaPad 3-14ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
| IdeaPad 3-15ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
| IdeaPad 3-15ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
| IdeaPad 3-17ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
| IdeaPad 3-17ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
| IdeaPad 3-17ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
| IdeaPad 5 15ABA7 | BIOS Update for Windows 11 (64-bit) – IdeaPad 5 15ABA7 | Not Affected | Not Affected | KACN14WW |
| IdeaPad Flex 5 14ALC7 Laptop | BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 | Not Affected | Not Affected | JCCN29WW |
| IdeaPad Flex 5 16ALC7 | BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 | Not Affected | Not Affected | JCCN29WW |
| Legion S7-15ACH6 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Legion S7-15ACH6 | Not Affected | Not Affected | HACN37WW |
| Legion S7-15ARH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Legion S7-15ARH5 | Not Affected | Not Affected | G1CN27WW |
| Legion S7-15IMH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Legion S7-15IMH5 | Not Affected | Not Affected | FDCN40WW |
| S145-14API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
| S145-14AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST | Not Affected | Not Affected | AYCN28WW |
| S145-15API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
| S145-15AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
| S145-15AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST | Not Affected | Not Affected | AYCN28WW |
| S540-13API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S540-13API | Not Affected | Not Affected | CXCN36WW |
| S940-14IIL Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL | Not Affected | Not Affected | BQCN34WW |
| Slim 1-11AST-05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 | Not Affected | Not Affected | CWCN25WW |
| Slim 1-14AST-05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 | Not Affected | Not Affected | CWCN25WW |
| ThinkBook 13s G2 ARE Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s G2 ARE | Not Affected | Not Affected | FVCN24WW |
| ThinkBook 13s G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL | Not Affected | Not Affected | F9CN50WW |
| ThinkBook 13s G3 ACN Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G3 ACN | Not Affected | Not Affected | GMCN29WW |
| ThinkBook 13s-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML | Not Affected | Not Affected | CQCN37WW |
| ThinkBook 14-IIL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL | DJCN28WW | DJCN28WW | DJCN28WW |
| ThinkBook 14-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML | CJCN38WW | CJCN38WW | CJCN38WW |
| ThinkBook 14p G2 ACH Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 14p G2 ACH | Not Affected | Not Affected | GWCN41WW |
| ThinkBook 14s G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL | Not Affected | Not Affected | F9CN50WW |
| ThinkBook 14s-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML | Not Affected | Not Affected | CQCN37WW |
| ThinkBook 15-IIL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL | DJCN28WW | DJCN28WW | DJCN28WW |
| ThinkBook 15-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML | CJCN38WW | CJCN38WW | CJCN38WW |
| ThinkBook 16p G2 ACH Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 16p G2 ACH | Not Affected | Not Affected | GXCN42WW |
| V130-15IKB Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – V130-15IKB | Not Affected | Not Affected | 8VCN31WW |
| V14 G2-ALC Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
| V14-ADA Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
| V15 G2-ALC Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
| V15-ADA Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
| Yoga 9-15IMH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga 9-15IMH5 | Not Affected | Not Affected | EPCN28WW |
| Yoga C640-13IML LTE Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE | CHCN28WW | CHCN28WW | CHCN28WW |
| Yoga C640-13IML Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE | CHCN28WW | CHCN28WW | CHCN28WW |
| Yoga C940-15IRH Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga C940-15IRH | Not Affected | Not Affected | BSCN37WW |
| Yoga S730-13IML Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML | Not Affected | Not Affected | BRCN20WW |
| Yoga S940-14IIL Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL | Not Affected | Not Affected | BQCN34WW |
| Yoga Slim 7 Pro-14ACH5 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O | Not Affected | Not Affected | GZCN29WW |
| Yoga Slim 7 Pro-14ACH5 O Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O | Not Affected | Not Affected | GZCN29WW |
| Yoga Slim 7 Pro-14ARH5 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 Pro-14ARH5 | Not Affected | Not Affected | G7CN24WW |
| ideapad 5-15ALC05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 5-15ALC05 | Not Affected | Not Affected | H2CN27WW |
Related posts:
How To Fix The 3 New Vulnerabilities In Lenovo BIOS?
How to Fix CVE-2023-33009 and CVE-2023-33010- Critical Buffer Overflow Vulnerabilities in Zyxel Products?
How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System
How To Fix CVE-2021-34991- A Pre-Authentication Buffer Overflow On Multiple Netgear Products?