Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models.
电子消费制造商联想周二推出了修复程序,其中有三个关于UEFI固件的安全漏洞,影响70多种产品型号。
"The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," Slovak cybersecurity firm ESET said in a series of tweets.
斯洛伐克网络安全公司 ESET在一系列推文中表示: “这些漏洞可被利用在平台启动的早期阶段实现任意代码执行,可能允许攻击者劫持操作系统启动流程并禁用一些重要的安全功能。”
电脑Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities that have been described by Lenovo as leading to privilege escalation on affected systems. Martin Smolár from ESET has been credited with reporting the flaws.
漏洞编号为CVE-2022-1890、CVE-2022-1891 和 CVE-2022-1892 的三个漏洞,都与联想描述的缓冲区溢出漏洞有关,这些漏洞会导致受影响系统的权限提升。ESET 的 Martin Smolár 报告了这些缺陷。
The bugs stem from an insufficient validation of an NVRAM variable called "DataSize" in three different drivers ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, leading to a buffer overflow that could be weaponized to achieve code execution.
这些错误源于对三个不同驱动程序 电脑 ReadyBootDxe、SystemLoadDefaultDxe 和 SystemBootManagerDxe 中名为“DataSize”的 NVRAM 变量验证不充分,导致缓冲区溢出,可以武器化以实现代码执行。
This is the second time Lenovo has moved to address UEFI security vulnerabilities since the start of the year. In April, the company resolved three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) — also discovered by Smolár — that could have been abused to deploy and execute firmware implants.
这是自年初以来联想第二次着手解决 UEFI 安全漏洞。今年4月,该公司解决了 Smolár 发现的三个漏洞(CVE-2021-3970、CVE-2021-3971 和 CVE-2021-3972),这些漏洞可能被滥用于安装和执行固件植入。
Users of impacted devices are highly recommended to update their firmware to the latest version to mitigate potential threats.
强烈建议受影响设备的用户,将其固件更新到最新版本,以消除潜在威胁。
见素抱朴,少私寡欲。
——《道德经.第十九章》
本文翻译自:
https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.html
如若转载,请注明原文地址
电脑
