⚡ TL;DR | Go Straight to the Lenovo Vulnerabilities Report
LEN-91369: Multiple Driver Vulnerabilities
Lenovo recently released a new security advisory covering 3 new vulnerabilities in multiple of their models including Ideapad, Thinkbook, Yoga, Flex, and more. Lenovo had similar issues back in April when it also had to fix BIOS vulnerabilities. All three vulnerabilities are related to drivers that contain buffer overflow issues.
Buffer overflow vulnerabilities are quite common, they typically occur when code relies on external data to control its behavior, if it relies on data properties that are enforced beyond its scope, or when it is of such high complexity that predicting the behavior of the code is not accurate. A buffer overflow attack is a deliberate action by the attacker to force the software to exceed the limits of the computing memory used to temporarily hold data.
Lenovo detailed the buffer overflow vulnerabilities as follows:
- CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
Discover Vulnerable Devices
Lenovo’s security advisory contains a list of all vulnerable devices. We’ve used this information to create a special Lansweeper report that will provide a list of all devices in your environment that might be affected by the vulnerabilities while also listing the device’s BIOS data and affected driver data.