Tag Archive for: lenovo
This serious firmware flaw affects a whole load of Lenovo laptops
Three serious security vulnerabilities has been discovered, and patched, across a whole slew of Lenovo laptops.
Cybersecurity experts from ESET uncovered the issue in the ReadyBootDxe driver used by some Lenovo notebooks, as well as two buffer overflow issues found in the SystemLoadDefaultDxe driver, potentially allowing threat actors to hijack the startup routine of Windows installations.
The Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540, and S940 Lenovo lines are all affected, counting more than 70 endpoint (opens in new tab) models.
Improved code
“These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable,” ESET Research tweeted out, recently.
“An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”
The company has also submitted improved code to Binarly’s UEFI firmware analyzer ‘efiXplorer,’ the publication further found, which all interested admins can find on GitHub, for free.
The vulnerabilities, tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, reside in UEFI firmware, and as such, are quite dangerous. Exploiting them allows threat actors to run malware during boot, effectively circumventing any antivirus programs. It also makes malware more persistent, as wiping the disk, which is considered the Hail Mary of virus elimination, doesn’t help.
The silver lining is that not everyone can exploit these flaws – it does require a bit of knowledge. Still, more experienced crooks can wreak major damage.
To make sure their devices are safe, admins are advised to always keep them up to date, both on the software and on the hardware side of things, as well as to keep any software used, updated. Furthermore, having a strong firewall (opens in new tab) solution helps, as well as antivirus.
Users that don’t know exactly which Lenovo model they’re using can use the company’s automatic online detector here (opens in new tab).
Sequitur Labs and Lenovo join forces to secure AI models at the edge
Sequitur Labs announced that it has been selected by Lenovo as the technology vendor of choice for protecting edge AI computing applications utilized as part of the Lenovo ThinkEdge SE70 platform.
ThinkEdge SE70 is a powerful and flexible AI edge platform for enterprise designed to meet the expanding intelligent transformation needs from logistics, transportation and smart cities to retail, healthcare and manufacturing. The new edge solution from Lenovo is powered by the NVIDIA Jetson Xavier NX system on module. Implementing Sequitur as the security suite better ensures that Lenovo’s SE70 isolates dedicated hardware running AI models and delivering inferences and relevant data — thereby helping to secure AI models at the edge.
“Internet of Things (IoT) deployment is a tremendous market opportunity for both solution providers and enterprises based on the ability of AI solutions at the edge to make decisions to optimize operations and support new strategies,” said Blake Kerrigan, General Manager of ThinkEdge, Lenovo Intelligent Devices Group. “Although these devices offer significant upside, there remains an equally great need to better secure and protect the devices and IP in deployment. That’s why we are committed to work with Sequitur Labs to develop our first appliance designed to better protect AI models at the edge.”
Sequitur Labs’ EmSPARK Security Suite was designed to address solutions in industries where embedded security is paramount, in particular, protection of AI models at the edge. Supporting security functions for encryption, storage, data transmission and key/certificate management are delivered by EmSPARK and housed in a microprocessor’s secure memory partition. IoT hardware manufacturers use EmSPARK to easily implement device-level security by addressing technical, IP, supply chain and business process challenges.
Developers can easily build applications that use security enhanced resources without having to become experts in cryptography and complex chip-level security technologies. Overall, the solution reduces security development and deployment time and investment by 40 to 70 percent, significantly reduces risk, and reduces BOM…