Lenovo has released information on three BIOS vulnerabilities in two desktop models and approximately 60 different notebook computers.
The first issue, identified as CVE-2021-3452, threatens dozens of ThinkPad models. It is associated with the SMI callback function at system shutdown and can be used by a local attacker who already has elevated privileges on the device to execute arbitrary code. BIOS updates for more than 30 ThinkPad models are already in the pipeline, and the company plans to begin rolling out patches on July 28.
Five more ThinkPad models are not affected by the first vulnerability, but they may suffer from the CVE-2021-3453 problem, which occurs due to the fact that BIOS modules are not protected by Intel Boot Guard, that is, an attacker with physical access to vulnerable devices can write data to SPI flash memory.
Lenovo says it has already released BIOS updates for vulnerable ThinkPads, but is still working on patches for 13 other laptop models. This bug also affects two IdeaCentre desktop models, which should be patched on September 30th.
The third vulnerability, CVE-2021-3614, only affects Lenovo laptops and allows an attacker who has physical access to the device to elevate their privileges. This can only be done under certain conditions during a BIOS update performed through Lenovo Vantage.
This vulnerability is dangerous for 21 laptop models, but fixes have been released for only two of them so far. A BIOS update for another model is due this week, but Lenovo has not disclosed an estimated patch date for other devices.