How To Fix The Three Buffer Overflow Vulnerabilities In Lenovo BIOS


Martin Smolár, a security researcher from ESET, has disclosed 3 buffer overflow vulnerabilities in Lenovo BIOS. The vulnerability is impacting multiple Lenovo Notebook devices including several ThinkBook models leaving millions of laptops vulnerable. These vulnerabilities enable advisories to hijack the OS execution flow and disable some important security features on the affected devices. This helps threat actors to achieve arbitrary code execution in the early phases of the platform boot. It is highly important for all the Lenovo Laptop holders to be aware of these three buffer overflow vulnerabilities. We created this post that tells how to fix these three buffer overflow vulnerabilities in Lenovo BIOS.

The vendor has published advisory for the second time since the beginning of the year. The first set of three vulnerabilities Lenovo fixed are CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, vulnerabilities enable advisories to deploy and execute malicious firmware on the affected devices.

A Small Note On UEFI vs BIOS:

Sometimes, you may get confused between UEFI and BIOS. Here is a small note that lets you know the difference between UEFI and BIOS in simple words.

UEFI stands for Unified Extensible Firmware Interface and is essentially a software program that sits on top of your computer’s hardware and provides an interface between the operating system and the hardware. UEFI is the successor to BIOS, offering a more modern interface as well as additional features and capabilities.

BIOS, on the other hand, stands for Basic Input/Output System. It is a ROM chip that stores information about your computer’s hardware and how it should be configured. The BIOS is responsible for booting up your computer, and it generally does not offer as many features or capabilities as UEFI.

So, UEFI is a more modern version of BIOS that offers additional features and capabilities. It is not required on all computers, but it is becoming more common. If your computer has UEFI, you will likely see a UEFI options menu when you boot up the computer that will allow you to change UEFI settings.

See also  How To Fix A Code Injection Vulnerability In Ninja Forms WordPress Plugin

The Three Buffer Overflow Vulnerabilities In Lenovo BIOS:

On July 13, 2022, Martin Smolár, a security researcher from ESET  tweeted about the three flaws to the PC manufacturer. The following is a summary of the three buffer overflow vulnerabilities as outlined by Lenovo.

#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models.  @smolar_m 1/6— ESET Research (@ESETresearch)  July 13, 2022

CVE-2022-1890: This is a buffer overflow vulnerability in the ReadyBootDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the ReadyBootDxe driver resulting in a buffer overflow.

 

See Also CVE-2022-0513- Fix The Critical SQL Injection Vulnerability In WP Statistics WordPress Plugin

CVE-2022-1891: This is a buffer overflow vulnerability in the SystemLoadDefaultDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemLoadDefaultDxe driver resulting in a buffer overflow.

CVE-2022-1892: This is a buffer overflow vulnerability in the SystemBootManagerDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemBootManagerDxe driver resulting in a buffer overflow.

See also  Discovering Wireshark: 7 Features to Analyze a PCAP File Using Wireshark

How To Fix The Three Buffer Overflow Vulnerabilities In Lenovo BIOS?

Upgrading the BIOS firmware is the best way to fix these new vulnerabilities in Lenovo Laptops.BIOS can be updated in three different ways in Lenovo Laptops.

Automatic Updates

WinFlash

Update BIOS from Windows

Method 1: Automatic Update

Update Lenovo drivers, BIOS, and applications using Lenovo System Update. Lenovo System Update is the latest program that can be used to update your Lenovo laptop drivers and other software. It can also detect when there are new versions of the BIOS and automatically install them.

To check if your Lenovo laptop has this feature, go to Start Menu > Control Panel > System and Security. Click on “System” and then click on “Advanced system settings.” On the left panel, click on “Advanced” and then click on “Update BIOS.”

If you see the “Update BIOS” option, your Lenovo laptop has the Lenovo System Update feature. If you don’t see this option, your Laptop doesn’t have this feature, and you’ll need to install the BIOS updates manually.

Method 2: WinFlash

  1. Download the most recent BIOS to your Windows desktop for easier usage. To locate and download the BIOS, follow these steps: Open the Lenovo support website (support.lenovo.com).
  2. Enter the system machine type or product name. On the product page, click Drivers & Software. Filter by BIOS/UEFI, and choose the corresponding OS information.
  3. Follow the instructions in the readme file to download and install the BIOS. Right-click on the BIOS flash package and select Run as administrator.
  4. A self-extracting window will appear on Windows, and you should click the Install button. Then click on the Flash BIOS button. A caution screen will appear to notify users to connect the system’s power outlet and supply additional flash information.
  5. Select the OK button. The BIOS update flashing program will automatically run. Please wait until the BIOS update flashing program has finished installation. When the BIOS update is completed, your computer reboots automatically.
See also  How To Fix Multiple Vulnerabilities In Multiple NETGEAR Products

Method 3: Update BIOS From Windows

Updating BIOS from Windows is simple and straight. Steps to update system BIOS in Lenovo Laptops:

  1. Visit the official Lenovo website and download the BIOS update file.
  2. Extract the downloaded file to a folder on your computer.
  3. Double-click on the extracted BIOS file to launch the update process.
  4. Follow the on-screen instructions to complete the BIOS update process.
  5. Restart your computer and check if the BIOS update is successful.

 

See Also How To Set Up A Certificate Authority On Ubuntu Using OpenSSL?

These are the steps to update the system BIOS in Lenovo Laptops. Following these steps should help you update your BIOS successfully. In case you face any issues, please reach out to the Lenovo support team for assistance.

List Of Lenovo Laptops Vulnerable To CVE-2022-1890, CVE-2022-1891, And CVE-2022-1892:

Lenovo has verified its Laptop modules and published the vulnerable models in its advisory report. Please don’t miss seeing the list from here. Click here for a complete list of all Lenovo Product Security Advisories.

Product Component CVE-2022-1890 CVE-2022-1891 CVE-2022-1892
100e 2nd Gen Notebook (Lenovo) (Type 82GJ) BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) Not Affected Not Affected FRCN23WW
100w Gen 3 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 Not Affected Not Affected GACN38WW
13w Yoga (Type 82S1, 82S2) Laptop (Lenovo) BIOS Update Utility for Windows 11 (Version 21H2 or later), 10 (Version 21H2 or later) – Lenovo 13w Yoga (Type 82S1, 82S2) Not Affected Not Affected JACN31WW
14W Gen 2 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 14W Gen 2 Not Affected Not Affected H0CN21WW
300e 2nd Gen Notebook (Lenovo) (Type 82GK) BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) Not Affected Not Affected FRCN23WW
300w Gen 3 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 Not Affected Not Affected GACN38WW
500w Gen 3 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 500w Gen 3 Not Affected Not Affected G6CN40WW
730S-13IML Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML Not Affected Not Affected BRCN20WW
Flex 3-11ADA05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 3-11ADA05 Not Affected Not Affected FPCN26WW
Flex 5-14ALC05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 Not Affected Not Affected GJCN27WW
Flex 5-14ARE05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 5-14ARE05 Not Affected Not Affected EECN39WW
Flex 5-14IIL05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 Not Affected Not Affected ECCN40WW
Flex 5-14ITL05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 Not Affected Not Affected FXCN38WW
Flex 5-15ALC05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 Not Affected Not Affected GJCN27WW
Flex 5-15IIL05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 Not Affected Not Affected ECCN40WW
Flex 5-15ITL05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 Not Affected Not Affected FXCN38WW
IdeaPad 1-11ADA05 Laptop BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 Not Affected Not Affected FQCN26WW
IdeaPad 1-11IGL05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 Not Affected Not Affected DWCN24WW
IdeaPad 1-14ADA05 Laptop BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 Not Affected Not Affected FQCN26WW
IdeaPad 1-14IGL05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 Not Affected Not Affected DWCN24WW
IdeaPad 3 15ADA05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 Not Affected Not Affected E8CN36WW
IdeaPad 3-14ADA05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 Not Affected Not Affected E8CN36WW
IdeaPad 3-14ADA6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 Not Affected Not Affected HBCN24WW
IdeaPad 3-14ALC6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC Not Affected Not Affected GLCN48WW
IdeaPad 3-15ADA6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 Not Affected Not Affected HBCN24WW
IdeaPad 3-15ALC6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC Not Affected Not Affected GLCN48WW
IdeaPad 3-17ADA05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 Not Affected Not Affected E8CN36WW
IdeaPad 3-17ADA6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 Not Affected Not Affected HBCN24WW
IdeaPad 3-17ALC6 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC Not Affected Not Affected GLCN48WW
IdeaPad 5 15ABA7 BIOS Update for Windows 11 (64-bit) – IdeaPad 5 15ABA7 Not Affected Not Affected KACN14WW
IdeaPad Flex 5 14ALC7 Laptop BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 Not Affected Not Affected JCCN29WW
IdeaPad Flex 5 16ALC7 BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 Not Affected Not Affected JCCN29WW
Legion S7-15ACH6 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Legion S7-15ACH6 Not Affected Not Affected HACN37WW
Legion S7-15ARH5 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – Legion S7-15ARH5 Not Affected Not Affected G1CN27WW
Legion S7-15IMH5 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – Legion S7-15IMH5 Not Affected Not Affected FDCN40WW
S145-14API Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API Not Affected Not Affected BUCN33WW
S145-14AST Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST Not Affected Not Affected AYCN28WW
S145-15API Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API Not Affected Not Affected BUCN33WW
S145-15AST Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API Not Affected Not Affected BUCN33WW
S145-15AST Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST Not Affected Not Affected AYCN28WW
S540-13API Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – S540-13API Not Affected Not Affected CXCN36WW
S940-14IIL Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL Not Affected Not Affected BQCN34WW
Slim 1-11AST-05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 Not Affected Not Affected CWCN25WW
Slim 1-14AST-05 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 Not Affected Not Affected CWCN25WW
ThinkBook 13s G2 ARE Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 13s G2 ARE Not Affected Not Affected FVCN24WW
ThinkBook 13s G2 ITL Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL Not Affected Not Affected F9CN50WW
ThinkBook 13s G3 ACN Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G3 ACN Not Affected Not Affected GMCN29WW
ThinkBook 13s-IML Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML Not Affected Not Affected CQCN37WW
ThinkBook 14-IIL Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL DJCN28WW DJCN28WW DJCN28WW
ThinkBook 14-IML Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML CJCN38WW CJCN38WW CJCN38WW
ThinkBook 14p G2 ACH Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 14p G2 ACH Not Affected Not Affected GWCN41WW
ThinkBook 14s G2 ITL Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL Not Affected Not Affected F9CN50WW
ThinkBook 14s-IML Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML Not Affected Not Affected CQCN37WW
ThinkBook 15-IIL Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL DJCN28WW DJCN28WW DJCN28WW
ThinkBook 15-IML Laptop BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML CJCN38WW CJCN38WW CJCN38WW
ThinkBook 16p G2 ACH Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 16p G2 ACH Not Affected Not Affected GXCN42WW
V130-15IKB Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – V130-15IKB Not Affected Not Affected 8VCN31WW
V14 G2-ALC Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC Not Affected Not Affected GLCN48WW
V14-ADA Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 Not Affected Not Affected E8CN36WW
V15 G2-ALC Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC Not Affected Not Affected GLCN48WW
V15-ADA Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 Not Affected Not Affected E8CN36WW
Yoga 9-15IMH5 Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga 9-15IMH5 Not Affected Not Affected EPCN28WW
Yoga C640-13IML LTE Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE CHCN28WW CHCN28WW CHCN28WW
Yoga C640-13IML Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE CHCN28WW CHCN28WW CHCN28WW
Yoga C940-15IRH Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga C940-15IRH Not Affected Not Affected BSCN37WW
Yoga S730-13IML Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML Not Affected Not Affected BRCN20WW
Yoga S940-14IIL Laptop (Lenovo) BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL Not Affected Not Affected BQCN34WW
Yoga Slim 7 Pro-14ACH5 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O Not Affected Not Affected GZCN29WW
Yoga Slim 7 Pro-14ACH5 O Laptop (ideapad) BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O Not Affected Not Affected GZCN29WW
Yoga Slim 7 Pro-14ARH5 Laptop (ideapad) BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 Pro-14ARH5 Not Affected Not Affected G7CN24WW
ideapad 5-15ALC05 Laptop BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 5-15ALC05 Not Affected Not Affected H2CN27WW

Leave a Reply

Your email address will not be published. Required fields are marked *