SB2025122701 - Lenovo update for multi-vendor BIOS

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-ID: CVE-2025-47319)

The vulnerability allows a local privileged application to read and manipulate data.

The vulnerability exists due to improper input validation in HLOS. A local privileged application can read and manipulate data.

2) Information disclosure (CVE-ID: CVE-2024-38798)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to password keystrokes are stored in a circular queue, which is not cleared after password entry. A local user can examine the memory used as the circular queue and recover a previously entered password. 

3) Integer overflow (CVE-ID: CVE-2025-47323)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.

4) State Issues (CVE-ID: CVE-2025-9614)

The vulnerability allows a local user to bypass implemented security restrictions. 

The vulnerability exists due to insufficient guidance on re-keying and stream flushing during device rebinding a PCIe device to a new Trusted Domain Interface (TDI) as described in PCI Express (PCIe) Base Specification. A local user can violate confidentiality or security objectives, leading to security restrictions bypass.

5) Improper validation of integrity check value (CVE-ID: CVE-2025-9612)

The vulnerability allows an attacker to bypass implemented security restrictions. 

The vulnerability exists due to an error in the PCIe IDE protocol’s Transaction Layer Packet (TLP) ordering enforcement mechanism as described in PCI Express (PCIe) Base Specification. A local user or attacker with physical access to the system can perform a Man-in-the-Middle (MITM) attack to observe and reorder IDE protected TLPs without triggering detection at the receiver and violate integrity objectives that both IDE and TDISP are designed to uphold.

6) Insufficient technical documentation (CVE-ID: CVE-2025-9613)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient guidance on tag reuse after completion timeouts described in PCI Express (PCIe) Base Specification. If the IDE-protected request’s tag is released due to a completion timeout, a subsequent IDE request may reuse the same tag. If the delayed completion of the original request arrives after the new request, the receiver may consume stale or incorrect data. A local user can violate integrity and confidentiality objectives of IDE and TDISP.

Remediation

Install update from vendor's website.

References

• https://support.lenovo.com/us/en/product_security/LEN-207909