On Tuesday, consumer electronics manufacturer Lenovo released updates that patch three security flaws that had been discovered in the UEFI firmware of over seventy different product models.
Slovak cybersecurity firm ESET stated in a series of tweets that the vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot," ESET said.
All three bugs, which are tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, are related to buffer overflow vulnerabilities. According to Lenovo, these vulnerabilities can cause privilege escalation on systems that are affected by them. Martin Smolár, an employee at ESET, is credited with discovering and reporting the vulnerabilities.
The bugs are caused by inadequate validation of an NVRAM variable called "DataSize" in three different drivers: ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe. This insufficient validation results in a buffer overflow, which can be exploited to execute arbitrary code.
Since the beginning of the year, Lenovo has taken action to address UEFI security vulnerabilities on two separate occasions, the most recent being today. In April, the company patched three vulnerabilities (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) that could have been exploited by malicious actors to install and run firmware implants. These vulnerabilities were also discovered by Smolár.
Users of affected devices are strongly encouraged to upgrade the firmware on their devices to the most recent version in order to protect themselves from any potential dangers.
Post a Comment
Your suggestions and comments are welcome