Multi-vendor BIOS Security Vulnerabilities (December, 2024)
Multi-vendor BIOS Security Vulnerabilities (December, 2024)
Multi-vendor BIOS Security Vulnerabilities (December, 2024)
Lenovo Security Advisory: LEN-180503
Potential Impact: Information Disclosure, Privilege Escalation
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2024-21944, CVE-2024-33044, CVE-2024-33056
Summary Description:
AMD reported that it may be possible to modify serial presence detect (SPD) metadata to make an attached memory module appear larger than it is, potentially allowing an attacker to overwrite physical memory. AMD-SB-3015: CVE-2024-21944
Qualcomm reported a potential improper validation vulnerability in BIOS that could allow a local attacker to corrupt memory. CVE-2024-33044
Qualcomm reported a potential buffer over-read vulnerability in BIOS that could allow a local attacker to corrupt memory. CVE-2024-33056
Mitigation Strategy for Customers (what you should do to protect yourself):
Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
References:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3015.html
https://docs.qualcomm.com/product/publicresources/securitybulletin
Revision History:
Revision | Date | Description |
---|---|---|
2 | 2025-01-02 | Updated product impact |
1 | 2024-12-10 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Click below links to view affected products:
Product Impact:
Product | Component | CVE-2024-21944 |
HX645 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX645 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
HX665 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX665 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
HX3375 Appliance (ThinkAgile) | Lenovo ThinkSystem SR645/SR665 UEFI Firmware (For AnyOS) | D8E138F |
HX3376 Certified Node (ThinkAgile) | Lenovo ThinkSystem SR645/SR665 UEFI Firmware (For AnyOS) | D8E138F |
HX645 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX645 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
HX665 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX665 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
HX665 V3 Storage Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX665 V3 Storage Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
HX665 V3 Storage Integrated Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
HX665 V3 Storage Integrated Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
VX635 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
VX635 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
VX645 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
VX645 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
VX655 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
VX655 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
VX665 V3 Certified Node (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
VX665 V3 Integrated System (ThinkAgile) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
Product | Component | CVE-2024-21944 |
SE455 V3 (ThinkEdge) | Lenovo System UEFI/BIOS (SE455 V3) Firmware | MBE114F |
Product | Component | CVE-2024-33044 | CVE-2024-33056 |
X13s (Type 21BX, 21BY) Laptop (ThinkPad) | BIOS Update Utility for Windows 11 ARM (Version 21H2) - ThinkPad X13s Gen 1 (Type 21BX, 21BY) | 1.63 | 1.63 |
X13s (Type 21BX, 21BY) Laptop (ThinkPad) | BIOS Update Utility for Windows 11 ARM - ThinkPad X13s Gen 1 (Type 21BX, 21BY) | 1.63 | 1.63 |
Product | Component | CVE-2024-21944 |
SD535 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware | GPE112G |
SD665 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SD665V3) | QGE128E |
SR635 (ThinkSystem) | Lenovo ThinkSystem SR635/SR655 UEFI Firmware | CFE144C |
SR635 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
SR645 (ThinkSystem) | Lenovo ThinkSystem SR645/SR665 UEFI Firmware (For AnyOS) | D8E138F |
SR645 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
SR655 (ThinkSystem) | Lenovo ThinkSystem SR635/SR655 UEFI Firmware | CFE144C |
SR655 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SR655V3/SR635V3) | KAE130I |
SR665 (ThinkSystem) | Lenovo ThinkSystem SR645/SR665 UEFI Firmware (For AnyOS) | D8E138F |
SR665 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SR645 V3/SR665 V3)) | KAE130I |
SR675 V3 (ThinkSystem) | Lenovo System UEFI/BIOS Firmware (SR675 V3) | QGE128E |
您的反馈有助于改善整体体验