Lenovo has released security updates for over a hundred different laptop models. These remove a total of three very serious vulnerabilities in the computers UEFI/BIOS platform.
One of the vulnerabilities, CVE-2021-3971, allows an attacker to modify the protection zone of a computer’s firmware if the attacker has elevated privileges, i.e. administrator access. An attacker could exploit the CVE-2021-3970 vulnerability to gain this access.
In addition, the CVE-2021-3972 vulnerability allows a highly privileged attacker to modify the system’s Secure Boot settings.
Keeps damage hidden
These possibilities allow attackers to install malware that is difficult to detect as well as difficult to remove.
The two UEFI-related vulnerabilities are due to the fact that UEFI drivers intended for use during the manufacturing process are still available on delivered systems, without being properly disabled. This is written by the IT security company EsetWho discovered the vulnerabilities last fall. Lenovo was notified of it on October 11, 2021.
Initially, security updates and vulnerabilities details were scheduled to be released on February 8, but due to development issues, this has been delayed for more than two months.
It is the consumer market laptop models that are primarily affected by the vulnerabilities. This includes a number of models in the IdeaPad, Legion, and Yoga families. Some computers are affected only by two of the three vulnerabilities. A full overview can be found at This page.
It is therefore necessary to install a BIOS update on the affected systems. This is usually not something that can be done through Windows Update. Instead, users should take the initiative to install the update.
The easiest way is usually to use Lenovo’s Update Tool which is usually included on PCs, but can also be done manually by following the individual model-specific links in Lenovo’s overview.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”