BIOS SMI Handler Input Validation Failures

2017-11-29T00:00:00
ID LENOVO:PS500122-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-11-29T00:00:00

Description

Lenovo Security Advisory: LEN-14695

Potential Impact: Execution of code in System Management Mode by an attacker with local administrative access

Severity: High

Scope of Impact: Industry-Wide

CVE Identifier: CVE-2017-3753

Summary Description:

A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI), a leading supplier of UEFI (BIOS) code to the computer industry. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.

Mitigation Strategy for Customers (what you should do to protect yourself):

AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

  • Enable Secure Boot on your system
  • Disable the boot to UEFI shell
  • Disable boot from any source but the primary internal hard drive
  • Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
  • Operate as an unprivileged (non-administrator) user when using Windows
  • Run only trusted code from known sources

Product Impact: