Vulnerability Management, Supply chain

BIOS code execution flaws addressed by Lenovo

Lenovo has issued fixes for three BIOS security vulnerabilities impacting more than 70 laptop models, one of which, tracked as CVE-2022-1892, affects all devices, according to SecurityWeek. Threat actors could exploit the flaws to execute arbitrary code in early platform boot phases, enable operation system execution flow hijacking, and deactivate security features, said researchers from ESET, who discovered the bugs. "These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call," said researchers. Aside from the aforementioned bugs, Lenovo also warned about the speculative Retbleed attacks that could affect devices using Intel and AMD processors. An advisory was also released detailing security flaws impacting Lenovo products with the XClarity Controller server management engine. Attackers could leverage such flaws to facilitate a denial-of-service condition, said Lenovo.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.