A recent internal product security audit has revealed a potential vulnerability in certain ThinkPad models that could be exploited by a skilled attacker under specific conditions. The vulnerability was discovered due to the use of Boot Services in the SmmOEMInt15 SMI handler in these ThinkPad models. If exploited correctly, this vulnerability could allow an attacker with elevated privileges to execute arbitrary code. In this post, we'll examine the details of this vulnerability, the affected products, and potential methods of mitigation.

Overview of CVE-2022-1107

The vulnerability in question is CVE-2022-1107, which is classified as a security weakness involved with Boot Services in the SmmOEMInt15 SMI handler. It affects certain ThinkPad models, as found during an internal product security audit.

Here's a code snippet that highlights the affected area involving Boot Services in the SmmOEMInt15 SMI handler:

 VOID
EFIAPI
SmmEntryPoint (
  IN EFI_HANDLE        ImageHandle,
  IN EFI_SYSTEM_TABLE  *SystemTable
  )
{
  ...
  SystemTable->BootServices->LocateProtocol(&gEfiSmmBase2ProtocolGuid, NULL, &gEfiSmmBase2);
  gEfiSmmBase2->GetSmstLocation(gEfiSmmBase2, &gSmst);
  ...
}

Original References

The vulnerability was first reported after an internal product security audit, and the original references can be found in the National Vulnerability Database (NVD) provided by the National Institute of Standards and Technology (NIST).

- NVD - CVE-2022-1107
- Lenovo Security Advisory (LEN-64634)

Exploit Details

In order for an attacker to take advantage of the CVE-2022-1107 vulnerability, they need to possess elevated privileges on a system with an affected ThinkPad model. This means that the attacker would require administrative access or physical presence in order to exploit this vulnerability.

The vulnerability can be exploited by leveraging the Boot Services in the SmmOEMInt15 SMI handler, which can allow an attacker to run arbitrary code. This could lead to various security breaches, including unauthorized access to sensitive information, the ability to modify system settings, or further compromise of the system.

Mitigation and Solutions

To mitigate the potential impact of this vulnerability, users should immediately apply any available firmware updates provided by Lenovo. The company has released firmware updates for the affected ThinkPad models, which can be found on their website: Lenovo Support.

Furthermore, implementing the principle of least privilege and ensuring that users have access only to what they need will decrease the risk of exploitation. Limiting physical access to systems will also reduce the likelihood of an attacker being able to exploit this vulnerability successfully.

Conclusion

CVE-2022-1107 is a potential vulnerability affecting certain ThinkPad models due to the use of Boot Services within the SmmOEMInt15 SMI handler, which could allow an attacker with elevated privileges to execute arbitrary code. Users should apply firmware updates provided by Lenovo and practice good security hygiene to minimize the risk associated with this vulnerability.

Timeline

Published on: 04/22/2022 21:15:00 UTC
Last modified on: 05/12/2022 13:42:00 UTC