Lenovo has fixed vulnerabilities in their computer firmware

Lenovo has fixed two important vulnerabilities in the system software of their computers. Vulnerabilities can be fixed by the update LEN-9903 (Intel ME protection not set on some Lenovo Notebooks and ThinkServer systems) and LEN-8327 (Microsoft Device Guard protection bypass). The first vulnerability with the identifier CVE-2016-8222 consists in incorrect configuration by Lenovo of system mechanism of the Intel chipsets – Intel Management Engine on some models of notebooks and ThinkServer computers.


The second vulnerability with identifier CVE-2016-8222 is somewhat similar to the famous previous ThinkPwn vulnerability. The vulnerability could allow an attacker to overwrite important system variables of BIOS and invoke SMM services of microprocessor operation mode, which means that attackers could get privileges at the level of minus the second ring (-2).

Regarding the Intel Management Engine (ME) technology has recently been written several articles on the internet. In short, this is a whole sub-system hardware and software from Intel in chipset, which allows you to control your computer, also remotely, regardless of the operating system, as well as if the computer is working at the moment or not. Intel ME uses system resources, including some regions of physical memory and hardware devices functions. At the same time, these resources are used by Intel ME should be suitably blocked from the influences of the outside, for example, an attacker who wants to modify the configuration parameters of the Intel ME with the purpose to run its own code on the highest minus third (-3) level of privileges of the microprocessor. Such protection of the physical memory region, Lenovo forgot to set initially.

Vulnerability refers to Local Privilege Escalation type (the LPE) and could allow an attacker to obtain the highest level of privileges minus the third ring (-3).

The Intel Management Engine (ME) is a set of hardware features developed by Intel that enable administrators to manage, repair and protect computers on their networks. During the manufacturing process, a setting is configured on the manufacturing line that locks regions of memory used by the ME and prevents them from being reconfigured. Lenovo has discovered that this protection was not enabled on certain Lenovo systems.

Update LEN-9903 is addressed to the following Lenovo notebook computer production:

  • 110-14IBR/110-15IBR
  • B70-80, E31-80, E40-80, E41-80, E51-80, G40-80, G50-80, G50-80 Touch
  • Ideapad 300-14IBR/300-15IBR, Ideapad 300-14ISK/300-15ISK/300-17ISK, Ideapad 510S-12ISK
  • K21-80, K41-80
  • MIIX 710-12IKB, XiaoXin Air 12
  • YOGA 510-14ISK/510-15ISK, YOGA 710-11IKB, Yoga 710-11ISK, Yoga 900-13ISK, YOGA 900S-12ISK

ThinkServer TS150 and ThinkServer TS450 Servers are also subject of the update.

The second vulnerability is present in one of the drivers of UEFI-firmware of ThinkPad notebooks and allows an attacker who has already received the highest administrator rights in the system, to go down to the minus second (-2) ring to run his own code in SMM mode.

A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability.

This vulnerability could allow an attacker to bypass Microsoft Device Guard protections for systems running Windows 10.

In turn, compromising SMM operation mode of the microprocessor allows an attacker to compromise a such protection technologies of Windows 10, which operate using virtualization mechanism, as a Device Guard and Credential Guard. Since virtualization subsystem runs on the ring -1 privileges, the SMM code will not be difficulty to bypass its defense mechanism.

We recommend to everyone to install the updates.

Information added: 11/28/2016 08:33 PM;