It is never a good day for a company to discover that it has security vulnerabilities. Especially in laptops. Lenovo ones, to be precise. The good news is that the PC manufacturer has already issued security updates for affected Windows 10 and 11 laptops.
According to researchers at the security company ESET, more than a dozen Lenovo computers were found to have a weak UEFI. As bad as this type of UEFI secure boot vulnerability is, it means that attackers might install malicious software to change secure boot settings.
Thankfully, Lenovo has published a security advisory about the vulnerabilities and how they work:
The following vulnerabilities were reported in Lenovo Notebook BIOS.
CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
CVE-2022-3431: A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
CVE-2022-3432: A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
There are steps to take for the specified products that go as follows:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
The disadvantage is that CVE-2022-3432 will not be patched to the model Ideapad Y700-14ISK because Lenovo no longer supports this out-of-date notebook. Those who own any other affected Lenovo laptops should update their UEFI as soon as possible. The longer you waits to fix these issues, the more you leave yourself open to malicious actors.
What do you think of these vulnerabilities? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network. Be sure to subscribe to our RUMBLE channel as well!
