PC System Recovery Bootloader Vulnerabilities
PC System Recovery Bootloader Vulnerabilities
PC System Recovery Bootloader Vulnerabilities
Lenovo Security Advisory: LEN-132277
Potential Impact: Privilege Escalation
Severity: Medium
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2024-23593, CVE-2024-23594
Summary Description:
The following vulnerabilities were identified in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014. No supported devices are affected by this issue.
CVE-2024-23593: A vulnerability was reported that could allow a privileged attacker with local access to modify the boot manager and escalate privileges.
CVE-2024-23594: A buffer overflow vulnerability was reported that could allow a privileged attacker with local access to execute arbitrary code.
Mitigation Strategy for Customers (what you should do to protect yourself):
Concerned customers can follow Microsoft's guidance to update to the latest Secure Boot DBX revocation list.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Acknowledgement:
Lenovo thanks Zammis Clark for reporting these issues.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-23593
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-23594
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2024-04-09 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience