Lenovo has released updates to fix vulnerabilities in the Unified Extensible Firmware Interface (UEFI) that affect several of the company’s notebook models. The flaws could be exploited to modify secure boot settings. While three vulnerabilities have been identified, Lenovo is releasing foxes for just two, as the third affects a device that is no longer supported.
Note
- The flaws allow the secure boot database (DBX) to be reset. That resets what is allowed and denied by the secure boot process, allowing a hacker’s code to be loaded at boot time. If you’re not managing the firmware on your fleet of laptops, you need to start figuring that out before your attackers do. Even so, test your process, BIOS updates can brick or otherwise be disruptive to users. The timing of which is never convenient, in fact, quite the opposite. At a bare minimum, track the versions and watch for unexpected updates.
Read more in
- Lenovo Notebook BIOS Vulnerabilities
- Lenovo driver goof poses security risk for users of 25 notebook models
- Lenovo Patches Bios Flaws That Lead to Secure Boot Modification
- Lenovo fixes flaws that can be used to disable UEFI Secure Boot
- New UEFI Firmware Flaws Reported in Several Lenovo Notebook Models
