Lenovo PC/Laptop Flaws Enable Attackers to Run Arbitrary Code

Lenovo has disclosed a pair of BIOS security vulnerabilities affecting several vendors of their original security advisory. The doable impacts of these vulnerabilities shall be knowledge disclosure and arbitrary code execution by a pair of BIOS vendors.

Furthermore, the scope of affect for these vulnerabilities has been given as “Industry-broad.” There were 26 CVEs reported by Lenovo associated to a pair of BIOS vendors, all of which were labeled with a Excessive severity.

Summary of Vulnerabilities

CVE-2023-20594 and CVE-2023-20597 existed in AMD and were associated to memory leak vulnerabilities of their AMD DXE driver in server and client desktops and cell APUs and CPUs, which could allow a highly privileges particular person to retrieve sensitive knowledge.

CVE-2023-5075 existed within the BIOS of some Lenovo Notebook products, which could allow a native possibility actor to raise their privileges and form arbitrary code. CVE-2023-5078 existed on the BIOS of some Lenovo ThinkPad products, which could allow a possibility actor with physical access to the system to escalate their privileges and modify BIOS firmware.

Desktop, Trim Edge and ThinkStation products were reported with a privilege escalation vulnerability, which could allow a native possibility actor to raise their privileges and form write-to NVRAM variables. The CVEs for these products were:

• CVE-2023-25494
• CVE-2023-45075
• CVE-2023-45076
• CVE-2023-45077
• CVE-2023-45078
• CVE-2023-45079.

Any other Privilege Escalation vulnerability used to be discovered in Lenovo Desktop products, which could allow a native possibility actor to raise their privilege and form arbitrary code.  These existed in some BIOS of Lenovo Desktop products and were equipped with CVEs.

• CVE-2023-43567
• CVE-2023-4356
• CVE-2023-43569
• CVE-2023-43570
• CVE-2023-43571
• CVE-2023-43572
• CVE-2023-43573
• CVE-2023-43574
• CVE-2023-43575
• CVE-2023-43576
• CVE-2023-43577
• CVE-2023-43578
• CVE-2023-43579
• CVE-2023-43580
• CVE-2023-43581.

Mitigation

To toughen the safety of the affected products, Lenovo strongly advises customers to reinforce their system firmware to the most most modern version in accordance with their model and the product affect list.

This could effectively handle the doable vulnerabilities and ensure a safer and extra reputable particular person abilities.

How to Download?

To download the version specified on your product below, put together these steps:

Navigate to the Drivers & Map relieve characteristic on your product:

Strengthen web sites

Lenovo Products (sold worldwide, other than in China): https://relieve.lenovo.com/
Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
IBM-branded Map x Legacy Products: https://www.ibm.com/relieve/fixcentral/

Step 1: Gape on your product by name or machine form.
Step 2: Click Drivers & Map on the left menu panel.
Step 3: Click on Handbook Update to browse by Element form.
Step 4: Compare the minimal mounted version on your product from the applicable product table with the most contemporary version posted on the relieve characteristic.

Affected Products

Products struggling from these vulnerabilities encompass,

• Desktop
• Desktop – All in One
• Hyperscale
• Lenovo Notebook
• Trim Edge
• Trim Administrative center
• Storage
• ThinkAgile
• ThinkEdge
• ThinkPad
• ThinkServer
• ThinkStation
• ThinkSystem

Customers of these products are recommended to reinforce to the most contemporary versions in accordance with their product to repair these vulnerabilities.