"New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models"

Lenovo has released fixes to address three security flaws discovered in its UEFI firmware, which affects over 70 product models. According to the Slovak cybersecurity firm ESET, the vulnerabilities can be exploited to achieve arbitrary code execution in the early stages of the platform boot, potentially enabling attackers to hijack the OS execution flow and disable some essential security features. The three bugs, tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, are all related to buffer overflow flaws that could result in privilege escalation on impacted systems. The flaws stem from insufficient validation of an NVRAM variable called "DataSize" in three different drivers: ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe. This article continues to discuss the new UEFI firmware vulnerabilities recently addressed by Lenovo. 

THN reports "New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models"