ESET had already discovered dangerous UEFI security gaps in Lenovo notebooks in April. Lenovo itself is now reporting that it recommends installing new firmware for more than 500 models, as there are sometimes highly dangerous security gaps.
Lenovo has to lower the head again and report the presence of many security vulnerabilities in various BIOS versions of their devices. Already had to a few months ago Lenovo to patch the vulnerabilities found by ESET in many UEFI BIOS versions. The currently published list of affected BIOS versions is again quite long. In addition to desktop PCs, notebooks, workstations, storage, and servers, Lenovo lists the associated problems and recommends updates. The list names more than 500 devices!
New BIOS update list for September 2022
On its website, Lenovo lists various security recommendations under the following point “Multi-Vendor BIOS Security Vulnerabilities (September 2022)” (LEN-94953). Lenovo cites the following risks for the potential attack: Disclosure of information, escalation of rights, denial of service. The vulnerabilities have a severity of High. The following CVE identifiers are specified: CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, CVE-2022-40137.
In the very extensive list, Lenovo lists the affected devices individually. It also explains in detail which of the CVEs are affected. Sometimes all vulnerabilities are gathered together, sometimes there are only one or two vulnerabilities. But no matter what the vulnerability is: the updates should be implemented as quickly as possible. If you don't get along with this, you will find a link to an update tool at the beginning of the table.
More at Lenovo.com