SB2023031552 - Multiple vulnerabilities in Lenovo ThinkPad BIOS firmware

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023031552

SB2023031552 - Multiple vulnerabilities in Lenovo ThinkPad BIOS firmware

Published: March 15, 2023

Security Bulletin ID SB2023031552
Severity
Low
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Security features bypass (CVE-ID: CVE-2022-3728)

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in the BIOS tamper detection mechanism. A local user can bypass implemented security restrictions and execute arbitrary code on the system.


2) Security features bypass (CVE-ID: CVE-2022-48182)

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in the BIOS tamper detection mechanism. A local user can bypass implemented security restrictions and execute arbitrary code on the system.

3) Security features bypass (CVE-ID: CVE-2022-48183)

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in the BIOS tamper detection mechanism. A local user can bypass implemented security restrictions and execute arbitrary code on the system.

4) Input validation error (CVE-ID: CVE-2022-4573)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the SMI handler. A local user can execute arbitrary code on the target system.


5) Input validation error (CVE-ID: CVE-2022-4574)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the SMI handler. A local user can execute arbitrary code on the target system.

6) Security features bypass (CVE-ID: CVE-2022-4575)

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to improper write protection of UEFI variables. An attacker with physical access to device can bypass the Secure Boot mechanism and compromise the affected system.

7) Input validation error (CVE-ID: CVE-2022-48189)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the SMM driver. A local user can execute arbitrary code with elevated privileges.


Remediation

Install update from vendor's website.

References