Martin Smolár, a security researcher from ESET, has disclosed 3 buffer overflow vulnerabilities in Lenovo BIOS. The vulnerability is impacting multiple Lenovo Notebook devices including several ThinkBook models leaving millions of laptops vulnerable. These vulnerabilities enable advisories to hijack the OS execution flow and disable some important security features on the affected devices. This helps threat actors to achieve arbitrary code execution in the early phases of the platform boot. It is highly important for all the Lenovo Laptop holders to be aware of these three buffer overflow vulnerabilities. We created this post that tells how to fix these three buffer overflow vulnerabilities in Lenovo BIOS.
The vendor has published advisory for the second time since the beginning of the year. The first set of three vulnerabilities Lenovo fixed are CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, vulnerabilities enable advisories to deploy and execute malicious firmware on the affected devices.
Sometimes, you may get confused between UEFI and BIOS. Here is a small note that lets you know the difference between UEFI and BIOS in simple words.
UEFI stands for Unified Extensible Firmware Interface and is essentially a software program that sits on top of your computer’s hardware and provides an interface between the operating system and the hardware. UEFI is the successor to BIOS, offering a more modern interface as well as additional features and capabilities.
BIOS, on the other hand, stands for Basic Input/Output System. It is a ROM chip that stores information about your computer’s hardware and how it should be configured. The BIOS is responsible for booting up your computer, and it generally does not offer as many features or capabilities as UEFI.
So, UEFI is a more modern version of BIOS that offers additional features and capabilities. It is not required on all computers, but it is becoming more common. If your computer has UEFI, you will likely see a UEFI options menu when you boot up the computer that will allow you to change UEFI settings.
On July 13, 2022, Martin Smolár, a security researcher from ESET tweeted about the three flaws to the PC manufacturer. The following is a summary of the three buffer overflow vulnerabilities as outlined by Lenovo.
CVE-2022-1890: This is a buffer overflow vulnerability in the ReadyBootDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the ReadyBootDxe driver resulting in a buffer overflow.
CVE-2022-1891: This is a buffer overflow vulnerability in the SystemLoadDefaultDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemLoadDefaultDxe driver resulting in a buffer overflow.
CVE-2022-1892: This is a buffer overflow vulnerability in the SystemBootManagerDxe driver in some Lenovo notebook models which would allow an attacker with local privileges to execute arbitrary code on the affected devices. The flaw is due to an insufficient validation of an NVRAM variable called “DataSize” in the SystemBootManagerDxe driver resulting in a buffer overflow.
Upgrading the BIOS firmware is the best way to fix these new vulnerabilities in Lenovo Laptops.BIOS can be updated in three different ways in Lenovo Laptops.
Update Lenovo drivers, BIOS, and applications using Lenovo System Update. Lenovo System Update is the latest program that can be used to update your Lenovo laptop drivers and other software. It can also detect when there are new versions of the BIOS and automatically install them.
To check if your Lenovo laptop has this feature, go to Start Menu > Control Panel > System and Security. Click on “System” and then click on “Advanced system settings.” On the left panel, click on “Advanced” and then click on “Update BIOS.”
If you see the “Update BIOS” option, your Lenovo laptop has the Lenovo System Update feature. If you don’t see this option, your Laptop doesn’t have this feature, and you’ll need to install the BIOS updates manually.
Download the most recent BIOS to your Windows desktop for easier usage. To locate and download the BIOS, follow these steps: Open the Lenovo support website (support.lenovo.com).
Enter the system machine type or product name. On the product page, click Drivers & Software. Filter by BIOS/UEFI, and choose the corresponding OS information.
Follow the instructions in the readme file to download and install the BIOS. Right-click on the BIOS flash package and select Run as administrator.
A self-extracting window will appear on Windows, and you should click the Install button. Then click on the Flash BIOS button. A caution screen will appear to notify users to connect the system’s power outlet and supply additional flash information.
Select the OK button. The BIOS update flashing program will automatically run. Please wait until the BIOS update flashing program has finished installation. When the BIOS update is completed, your computer reboots automatically.
Updating BIOS from Windows is simple and straight. Steps to update system BIOS in Lenovo Laptops:
Visit the official Lenovo website and download the BIOS update file.
Extract the downloaded file to a folder on your computer.
Double-click on the extracted BIOS file to launch the update process.
Follow the on-screen instructions to complete the BIOS update process.
Restart your computer and check if the BIOS update is successful.
These are the steps to update the system BIOS in Lenovo Laptops. Following these steps should help you update your BIOS successfully. In case you face any issues, please reach out to the Lenovo support team for assistance.
Lenovo has verified its Laptop modules and published the vulnerable models in its advisory report. Please don’t miss seeing the list from here. Click here for a complete list of all Lenovo Product Security Advisories.
Product | Component | CVE-2022-1890 | CVE-2022-1891 | CVE-2022-1892 |
100e 2nd Gen Notebook (Lenovo) (Type 82GJ) | BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) | Not Affected | Not Affected | FRCN23WW |
100w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 | Not Affected | Not Affected | GACN38WW |
13w Yoga (Type 82S1, 82S2) Laptop (Lenovo) | BIOS Update Utility for Windows 11 (Version 21H2 or later), 10 (Version 21H2 or later) – Lenovo 13w Yoga (Type 82S1, 82S2) | Not Affected | Not Affected | JACN31WW |
14W Gen 2 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 14W Gen 2 | Not Affected | Not Affected | H0CN21WW |
300e 2nd Gen Notebook (Lenovo) (Type 82GK) | BIOS Update for Windows 10 (64-bit) – Lenovo 100e 2nd Gen (MT:82GJ), Lenovo 300e 2nd Gen (MT:82GK) | Not Affected | Not Affected | FRCN23WW |
300w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – 100w Gen 3, 300w Gen 3 | Not Affected | Not Affected | GACN38WW |
500w Gen 3 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Lenovo 500w Gen 3 | Not Affected | Not Affected | G6CN40WW |
730S-13IML Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML | Not Affected | Not Affected | BRCN20WW |
Flex 3-11ADA05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 3-11ADA05 | Not Affected | Not Affected | FPCN26WW |
Flex 5-14ALC05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 | Not Affected | Not Affected | GJCN27WW |
Flex 5-14ARE05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ARE05 | Not Affected | Not Affected | EECN39WW |
Flex 5-14IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 | Not Affected | Not Affected | ECCN40WW |
Flex 5-14ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 | Not Affected | Not Affected | FXCN38WW |
Flex 5-15ALC05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Flex 5 14ALC05, Flex 5 15ALC05 | Not Affected | Not Affected | GJCN27WW |
Flex 5-15IIL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14IIL05, Flex 5-15IIL05 | Not Affected | Not Affected | ECCN40WW |
Flex 5-15ITL05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Flex 5-14ITL05, Flex 5-15ITL05 | Not Affected | Not Affected | FXCN38WW |
IdeaPad 1-11ADA05 Laptop | BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 | Not Affected | Not Affected | FQCN26WW |
IdeaPad 1-11IGL05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 | Not Affected | Not Affected | DWCN24WW |
IdeaPad 1-14ADA05 Laptop | BIOS Update for Windows 10 (64-bit) – ideapad 1-11ADA05, ideapad 1-14ADA05 | Not Affected | Not Affected | FQCN26WW |
IdeaPad 1-14IGL05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 1-11IGL05, ideapad 1-14IGL05 | Not Affected | Not Affected | DWCN24WW |
IdeaPad 3 15ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
IdeaPad 3-14ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
IdeaPad 3-14ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
IdeaPad 3-14ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
IdeaPad 3-15ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
IdeaPad 3-15ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
IdeaPad 3-17ADA05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
IdeaPad 3-17ADA6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 3-14ADA6, IdeaPad 3-15ADA6, IdeaPad 3-17ADA6 | Not Affected | Not Affected | HBCN24WW |
IdeaPad 3-17ALC6 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
IdeaPad 5 15ABA7 | BIOS Update for Windows 11 (64-bit) – IdeaPad 5 15ABA7 | Not Affected | Not Affected | KACN14WW |
IdeaPad Flex 5 14ALC7 Laptop | BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 | Not Affected | Not Affected | JCCN29WW |
IdeaPad Flex 5 16ALC7 | BIOS Update for Windows 11 (64-bit) – IdeaPad Flex 5 14ALC7, IdeaPad Flex 5 16ALC7 | Not Affected | Not Affected | JCCN29WW |
Legion S7-15ACH6 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Legion S7-15ACH6 | Not Affected | Not Affected | HACN37WW |
Legion S7-15ARH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Legion S7-15ARH5 | Not Affected | Not Affected | G1CN27WW |
Legion S7-15IMH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Legion S7-15IMH5 | Not Affected | Not Affected | FDCN40WW |
S145-14API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
S145-14AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST | Not Affected | Not Affected | AYCN28WW |
S145-15API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
S145-15AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14API, S145-15API | Not Affected | Not Affected | BUCN33WW |
S145-15AST Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S145-14AST, S145-15AST | Not Affected | Not Affected | AYCN28WW |
S540-13API Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – S540-13API | Not Affected | Not Affected | CXCN36WW |
S940-14IIL Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL | Not Affected | Not Affected | BQCN34WW |
Slim 1-11AST-05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 | Not Affected | Not Affected | CWCN25WW |
Slim 1-14AST-05 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Slim 1-11AST-05, Slim 1-14AST-05 | Not Affected | Not Affected | CWCN25WW |
ThinkBook 13s G2 ARE Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s G2 ARE | Not Affected | Not Affected | FVCN24WW |
ThinkBook 13s G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL | Not Affected | Not Affected | F9CN50WW |
ThinkBook 13s G3 ACN Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G3 ACN | Not Affected | Not Affected | GMCN29WW |
ThinkBook 13s-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML | Not Affected | Not Affected | CQCN37WW |
ThinkBook 14-IIL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL | DJCN28WW | DJCN28WW | DJCN28WW |
ThinkBook 14-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML | CJCN38WW | CJCN38WW | CJCN38WW |
ThinkBook 14p G2 ACH Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 14p G2 ACH | Not Affected | Not Affected | GWCN41WW |
ThinkBook 14s G2 ITL Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 13s G2 ITL, ThinkBook 14s G2 ITL | Not Affected | Not Affected | F9CN50WW |
ThinkBook 14s-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 13s-IML, ThinkBook 14s-IML | Not Affected | Not Affected | CQCN37WW |
ThinkBook 15-IIL Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IIL, ThinkBook 15-IIL | DJCN28WW | DJCN28WW | DJCN28WW |
ThinkBook 15-IML Laptop | BIOS Update for Windows 10 (64-bit) – ThinkBook 14-IML, ThinkBook 15-IML | CJCN38WW | CJCN38WW | CJCN38WW |
ThinkBook 16p G2 ACH Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ThinkBook 16p G2 ACH | Not Affected | Not Affected | GXCN42WW |
V130-15IKB Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – V130-15IKB | Not Affected | Not Affected | 8VCN31WW |
V14 G2-ALC Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
V14-ADA Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
V15 G2-ALC Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – ideapad 3-14ALC6, ideapad 3-15ALC6, ideapad 3-17ALC6, V14 G2-ALC, V15 G2-ALC | Not Affected | Not Affected | GLCN48WW |
V15-ADA Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – V14-ADA, V15-ADA, ideapad 3-14ADA05, ideapad 3-15ADA05, ideapad 3-17ADA05 | Not Affected | Not Affected | E8CN36WW |
Yoga 9-15IMH5 Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga 9-15IMH5 | Not Affected | Not Affected | EPCN28WW |
Yoga C640-13IML LTE Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE | CHCN28WW | CHCN28WW | CHCN28WW |
Yoga C640-13IML Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga C640-13IML, Yoga C640-13IML LTE | CHCN28WW | CHCN28WW | CHCN28WW |
Yoga C940-15IRH Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga C940-15IRH | Not Affected | Not Affected | BSCN37WW |
Yoga S730-13IML Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga S730-13IML,ideapad 730S-13IML | Not Affected | Not Affected | BRCN20WW |
Yoga S940-14IIL Laptop (Lenovo) | BIOS Update for Windows 10 (64-bit) – Yoga S940-14IIL, ideapad S940-14IIL | Not Affected | Not Affected | BQCN34WW |
Yoga Slim 7 Pro-14ACH5 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O | Not Affected | Not Affected | GZCN29WW |
Yoga Slim 7 Pro-14ACH5 O Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – Yoga Slim 7 Pro-14ACH5, Yoga Slim 7 Pro-14ACH5 O | Not Affected | Not Affected | GZCN29WW |
Yoga Slim 7 Pro-14ARH5 Laptop (ideapad) | BIOS Update for Windows 10 (64-bit) – Yoga Slim 7 Pro-14ARH5 | Not Affected | Not Affected | G7CN24WW |
ideapad 5-15ALC05 Laptop | BIOS Update for Windows 10 (64-bit) and Windows 11 (64-bit) – IdeaPad 5-15ALC05 | Not Affected | Not Affected | H2CN27WW |
We hope this post would help you know how to fix the three buffer overflow vulnerabilities In Lenovo BIOS. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.