PC System Recovery Bootloader Vulnerabilities

PC System Recovery Bootloader Vulnerabilities

PC System Recovery Bootloader Vulnerabilities

Lenovo Security Advisory: LEN-132277

Potential Impact: Privilege Escalation

Severity: Medium

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2024-23593, CVE-2024-23594

 

Summary Description:

The following vulnerabilities were identified in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014.  No supported devices are affected by this issue. 

CVE-2024-23593: A vulnerability was reported that could allow a privileged attacker with local access to modify the boot manager and escalate privileges. 

CVE-2024-23594: A buffer overflow vulnerability was reported that could allow a privileged attacker with local access to execute arbitrary code. 

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Concerned customers can follow Microsoft's guidance to update to the latest Secure Boot DBX revocation list.

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Acknowledgement:

Lenovo thanks Zammis Clark for reporting these issues. 

 

References:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-23593

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-23594

 

Revision History:

Revision Date Description
1 2024-04-09 Initial release

 

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 


Alias Id:LEN-132277
Document ID:PS500613
Original Publish Date:04/09/2024
Last Modified Date:04/09/2024