Lenovo BIOS Vulnerabilities (July 2021) - Lenovo Support NL

**Lenovo Security Advisory:**LEN-65529

**Potential Impact:**Privilege escalation

**Severity:**Medium

**Scope of Impact:**Lenovo-specific

**CVE Identifier:**CVE-2021-3452, CVE-2021-3453, CVE-2021-3614

Summary Description:

The following vulnerabilities were reported in Lenovo BIOS:

CVE-2021-3452: A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3453: Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.

CVE-2021-3614: A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges under certain conditions during a BIOS update performed by Lenovo Vantage.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update system firmware to the version (or newer) indicated for your model in the Product Impact section.