Lenovo issued a security alert for three vulnerabilities in its UFI firmware. These vulnerabilities are believed to affect over 70 notebooks manufactured by the manufacturer. These security flaws were identified by ESET Lenovo security experts. The first updates are now available.
“HTMOBIOS Vulnerabilities ” is the latest security advisory report. It lists the three security flaws CVE-2022-1890 and CVE-2022-1891. The report also recommends that affected users update their UEFI firmware immediately.
More than 70 models are at risk from vulnerabilities
The manufacturer has published a list of more than 70 affected models along with the firmware. These vulnerabilities allow local attackers to execute malicious code during the system’s initial phase. This is similar to the Born website. Many Yoga, ThinkPad and IdeaPad notebooks are vulnerable to attack.
- CVE-2022-1890 A buffer overflow was detected by the ReadyBootDxe driver on some Lenovo notebooks. This could have allowed an attacker with local privileges, to execute arbitrary codes.
- CVE-2022-1891 An attacker with local privileges could execute arbitrary code by exploiting a buffer overflow in SystemLoadDefaultDxe in certain Lenovo notebook products.
- CVE-2022-1892 An attacker with local privileges could execute arbitrary code by exploiting a buffer overflow in SystemBootManagerDxe drivers in certain Lenovo notebook products.
Lenovo’s security report links directly to the relevant updates to the firmware of affected models. Twitter is where ESET security experts share more information about the security holes via Twitter.