- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
New Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities
Three vulnerabilities have been discovered in the UEFI firmware of several Lenovo notebooks.
Tracked CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432, the flaws have been found by security researchers at ESET and affect various Lenovo Yoga, IdeaPad and ThinkBook devices.
The first of the vulnerabilities is a flaw in the WMI Setup driver, which may allow an attacker with elevated privileges to modify secure boot settings by changing a non-volatile random access memory (NVRAM) variable.
The CVE-2022-3431 and CVE-2022-3432, on the other hand, are vulnerabilities in a driver that was mistakenly not deactivated during the manufacturing process and may also allow an attacker with elevated privileges to modify secure boot settings by changing an NVRAM variable.
“While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders […] to bypass Secure Boot while keeping it enabled,” the company wrote in a series of Twitter posts.
“As in our previous discovery […], current vulnerabilities weren’t caused by flaws in the code. The affected drivers were meant to be used only during the manufacturing process but were mistakenly included in the production.”
ESET has confirmed it reported the flaws to Lenovo, which promptly released a patch for the majority of them.
“For those using one of the affected devices, we highly recommend updating to the latest firmware version. To see if you are affected by these vulnerabilities and for the firmware update instructions, visit Lenovo Advisory.”
The advisory details mitigation strategies for all three vulnerabilities but clarifies that for CVE-2022-3432, the Ideapad Y700-14ISK has reached end-of-development support, and no fixes will be released.
“Lenovo recommends customers adopt secure computing practices, including active system lifecycle management,” the company wrote.
The advisory comes weeks after Intel confirmed the alleged leak of its Alder Lake BIOS/UEFI source code that had apparently been posted on 4chan and Github.