Lenovo has revealed that more than 70 of its laptop models are vulnerable to a UEFI/BIOS bug that could result in arbitrary code execution in a security alert.
Three buffer overflow vulnerabilities were found by researchers at the cybersecurity company ESET.
According to ESET’s tweet, the flaws can be used to execute arbitrary code during the platform boot process, giving attackers the potential to control the OS execution flow and disable key crucial security mechanisms.
“Insufficient validation of the DataSize parameter given to the UEFI Runtime Services method GetVariable was the root cause of these vulnerabilities. A particularly constructed NVRAM variable might be created by an attacker, leading to a buffer overflow of the Data buffer in the second GetVariable call,” it continued.
Retbleed is a new speculative execution exploit affecting devices with Intel and AMD CPUs, and Lenovo has also warned users about it.
A couple of vulnerabilities affecting numerous products that use the XClarity Controller server management engine have also been addressed in an advisory from the company. These bugs could give authorized users the ability to disrupt services or establish unauthorized connections to internal ones.
Firmware flaws are a typical occurrence. Researchers have found vulnerabilities in third-party components used by numerous manufacturers, even though some of them are particular to the products of a single vendor.
For instance, the InsydeH2O UEFI firmware code is utilized by more than 25 vendors, such as HP, Lenovo, Fujitsu, Microsoft, Intel, Dell, Bull, and Siemens, and has recently been shown to include over two dozen vulnerabilities.
It may take some time until the remedies are adopted by manufacturers and reach millions of end users, even though Insyde Software, the company that makes InsydeH2O, patched the vulnerabilities as soon as Binarly contacted them. Customers have just lately been told about the existence of remedies for these problems by the manufacturer of the modular and upgradeable Framework laptops.
If you own a Lenovo laptop, go ahead and check if your device model is listed among the 70 affected models using this link.
RELATED
