Lenovo has released fixes for multiple security flaws for a large number of devices through BIOS updates. These issues have left users open to risks like information disclosure, privilege escalation, and denial of service. Users who own one or more of the affected Lenovo devices should update their BIOS right away.
The BIOS updates deal with the following CVE (Common Vulnerabilities and Exposures):
There are also security enhancements released by AMI (for AMI BIOS), but there are no CVE details available for that.
If you’re not familiar with CVE identifiers, in short, the above CVEs indicate that the affected devices are vulnerable to attackers gaining local access and elevated privileges which can allow them to execute arbitrary code, and read SMM memory.
The issue affected hundreds of devices from Lenovo’s consumer and business product lines including Lenovo Notebook (IdeaPad, Yoga, Flex, ThinBook, etc.), ThinkPad, Desktop, All in One PCs, Smart Office, Hyperscale, ThinkServer, ThinkStation, ThinkSystem, ThinkAgile, and Storage devices.
A list of affected Products and additional details are available on Lenovo’s Support Website.
How to update your BIOS to protect yourself
Lenovo has listed this as a high severity security risk, so if you own one of the vulnerable products, you should definitely update your BIOS as soon as possible. Follow the pointers below to update the BIOS of your device,
- Go to Lenovo’s support website (you can simply use the above link)
- Search your device using its name or machine type
- Select “Driver & Software” from the menu on the left
- Select “Manual Update” and find the latest BIOS by component type
- You can check for the version that has the fix by checking the list provided by the company (available on the link mentioned above)
While updating your BIOS, do not turn off your device(s) as it may end up bricking them instead. Once you’ve installed the correct version, the security risks will be eliminated.