Lenovo has released patches for a High severity vulnerability impacting the Secure Boot function on some System x servers.
Exploitation of this security vulnerability could result in unauthenticated code being booted. Discovered by the computer maker’s internal testing team and tracked as CVE-2017-3775, the issue impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.
“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code,” the manufacturer notes.
These systems ship with Secure Boot disabled by default, because signed code is relatively new in the data center environment, the company says, adding that standard operator configurations disable signature checking.
In its advisory, the computer maker published not only the complete list of affected models, but also links to the appropriate BIOS/UEFI update for each model. The company advises admins relying on Secure Boot to control physical access to systems prior to applying the updates.
Lenovo also released a patch for a buffer overflow in Lenovo System Update Drive Mapping Utility. Tracked as CVE-2018-9063, the vulnerability could result in undefined behaviors, such as execution of arbitrary code, the company notes.
Discovered by SaifAllah benMassaoud and assessed with a Medium severity rating, the vulnerability can be exploited by an attacker entering very large user ID or password in order to overrun the program’s buffer. An attacker could potentially execute code with the MapDrv’s privileges.
Lenovo System Update version 5.07.0072 or later addresses the vulnerability and users are advised to update the application to remain protected. To determine the currently installed version of Lenovo System Update, users should launch the application, click the green question mark in the top right corner and then select “About.”
Lenovo System Update automatically checks for newer version when executed, and users should simply launch the application and accept the update when prompted. Manual updates are also possible, by downloading the latest app version from Lenovo’s site.