The company has urged users to update to the latest security fix to ensure safety of their systems.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
The update fixed security for multi-vendor BIOS security vulnerabilities that could cause information disclosure, privilege escalation, denial of service on affected systems.
Earlier, on Monday, The Indian Computer Emergency Response Team (CERT-In) released notes for the bugs found in Lenovo products urging users to apply appropriate security updates.
The security bugs with industry wide scope of impact were found in BIOS security that is used to startup a computer after it is powered on. These bugs were categorised in the high severity category by Lenovo and CERT-In.
However, the bugs did not affect all Lenovo products, the company said in its security blog.
Information disclosure bug
Information disclosure bug was found to exist in the TianoCore EDK II BIOS. Similar bugs were also detected in system management interrupt (SMI), set BIOS password SMI Handler, smart USB protection SMI handler, and system management interrupt (SMI) Handler used to configure platform settings over Windows Management Instrumentation, according to CERT-In.
Local authenticated attackers could exploit these bugs by sending specially crafted requests compromising the security of affected systems.
A local authenticated attacker encompasses all users with the username and password of the system as well as individuals making use of non-password protected accounts like guest accounts.
The bug would allow such users to increase their reach within the systems and execute arbitrary code, bypassing security restrictions and accessing sensitive information on the affected systems.
Buffer overflow vulnerability
Another bug affecting buffer overflow was also detected.
The bug was found to exist due to a buffer overflow flaw in WMI SMI Handler which used to configure platform settings in some Lenovo models.
It could be exploited by local authenticated attackers to send specially crafted requests and overrun a program’s buffer memory overwriting adjacent memory locations.
It could also be used by attackers to execute arbitrary codes on the affected systems.