Lenovo has disclosed multiple BIOS security vulnerabilities affecting several vendors in their new security advisory. The potential impacts of these vulnerabilities could be Information Disclosure and Arbitrary code execution on multiple BIOS vendors.
Moreover, the scope of impact for these vulnerabilities has been given as “Industry-wide.” There were 26 CVEs reported by Lenovo associated with multiple BIOS vendors, all of which have been classified with a severity of High.
Summary of Vulnerabilities
CVE-2023-20594 and CVE-2023-20597 existed in AMD and were associated with memory leak vulnerabilities in their AMD DXE driver in server and client desktops and mobile APUs and CPUs, which could allow a highly privileges user to retrieve sensitive information.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
CVE-2023-5075 existed in the BIOS of some Lenovo Notebook products, which could allow a local threat actor to elevate their privileges and execute arbitrary code. CVE-2023-5078 existed on the BIOS of some Lenovo ThinkPad products, which could allow a threat actor with physical access to the system to escalate their privileges and modify BIOS firmware.
Desktop, Smart Edge and ThinkStation products were reported with a privilege escalation vulnerability, which could allow a local threat actor to elevate their privileges and execute write-to NVRAM variables. The CVEs for these products were CVE-2023-25494, CVE-2023-45075, CVE-2023-45076, CVE-2023-45077, CVE-2023-45078, CVE-2023-45079.
Another Privilege Escalation vulnerability was discovered in Lenovo Desktop products, which could allow a local threat actor to elevate their privilege and execute arbitrary code. These existed in some BIOS of Lenovo Desktop products and were provided with CVEs CVE-2023-43567, CVE-2023-43568, CVE-2023-43569, CVE-2023-43570, CVE-2023-43571, CVE-2023-43572, CVE-2023-43573, CVE-2023-43574, CVE-2023-43575, CVE-2023-43576, CVE-2023-43577, CVE-2023-43578, CVE-2023-43579, CVE-2023-43580 and CVE-2023-43581.
Mitigation
To enhance the security of the affected products, Lenovo strongly advises users to upgrade their system firmware to the most recent version according to their model and the product impact list.
This will effectively address the potential vulnerabilities and ensure a safer and more reliable user experience.
How to download?
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
Support sites
Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
Step 1: Search for your product by name or machine type.
Step 2: Click Drivers & Software on the left menu panel.
Step 3: Click on Manual Update to browse by Component type.
Step 4: Compare the minimum fixed version for your product from the applicable product table with the latest version posted on the support site.
Affected Products
Products affected by these vulnerabilities include,
- Desktop
- Desktop – All in One
- Hyperscale
- Lenovo Notebook
- Smart Edge
- Smart Office
- Storage
- ThinkAgile
- ThinkEdge
- ThinkPad
- ThinkServer
- ThinkStation
- ThinkSystem
Users of these products are recommended to upgrade to the latest versions based on their product to fix these vulnerabilities.
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.