Recently, Lenovo released security patches for the CVE-2017-3775 high-severity vulnerability in the Secure Boot function on System x servers.
Information security researchers commented that standard operator settings disable signature verification, as a result, Server x BIOS / UEFI versions do not authenticate the signed code correctly before starting it.
“In Lenovo’s internal tests they found that some versions of System x server BIOS / UEFI that, when safe boot mode is enabled, do not authenticate correctly the signed code before starting it, this means that an attacker with access physical to the system could start the unsigned code, “says the security advisory.
“Lenovo ships systems with Secure Boot disabled by default, because the signed code is new in the data center environment, and standard operator settings disable signature checking.”
Information security experts said that a malicious actor can take advantage of this vulnerability to run an unauthenticated code at the start of the affected system. CVE-2017-3775 affects a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series and NextScale nx360 M5 devices.
Lenovo already revealed the full list of affected products and provided the BIOS / UEFI update.
A patch was also issued to address buffer overflow CVE-2018-9063 in Lenovo System Update Drive Mapping Utility. This vulnerability could be exploited by malicious actors for various attacks, including the execution of arbitrary code on the target machine.
“MapDrv (C: \ Program Files \ Lenovo \ System Update \ mapdrv.exe) incorporates a vulnerability in which a malicious actor can enter a large user ID or password and this can invade the program buffer and cause undefined behavior, as the execution of arbitrary code. ” says the security notice.
The vulnerability could be exploited by an attacker who enters a very large user ID or password to bypass the program’s buffer. The attacker could execute code with the privileges of MapDrv, commented the information security professional. Users need to update the application as soon as possible to Lenovo System Update version 5.07.0072 or later.