CVE-2022-40137: High-Severity BIOS Security Flaw in Lenovo devices

Lenovo recently released a new security advisory that contains 4 new BIOS-related vulnerabilities. Attackers can exploit these vulnerabilities to allow escalation of privilege, denial of service, or information disclosure.

Tracked as CVE-2022-40137 and affecting Lenovo Desktop, Desktop AIO, Smart Edge, Smart Office, ThinkStation, and ThinkSystem models, the first of the bugs impacts the WMI SMI Handler function and could be abused by an attacker with local access and elevated privileges to execute arbitrary code.

Tracked as CVE-2022-40134, CVE-2022-40135, and CVE-2022-40136, all three bugs relate to information leak vulnerabilities that have been described by Lenovo as leading to privilege escalation to read SMM memory on affected systems.

The bugs exist in SMI Set BIOS Password SMI Handler, Smart USB Protection SMI Handler and SMI Handler used to configure platform settings over WMI in some Lenovo models.

Four vulnerabilities were fixed by Lenovo this time, CVE-2022-40137 has the highest severity.

UEFI  (BIOS) threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.

Users of impacted devices are highly recommended to update their firmware to the latest version to mitigate potential threats.