Lenovo Security Advisory: LEN-14695
Potential Impact: Execution of code in System Management Mode by an attacker with local administrative access
Scope of Impact: Industry-Wide
CVE Identifier: CVE-2017-3753
A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI), a leading supplier of UEFI (BIOS) code to the computer industry. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.
Mitigation Strategy for Customers (what you should do to protect yourself):
AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.
Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability: