Lenovo: AMI BIOS SMM vulnerability

Lenovo Security Advisory: LEN-4710
Potential Impact:  Execution of code in SMM by an attacker with administrative access
Severity: Medium
Scope of impact: Industry-wide

Summary Description: System Management Mode (SMM) is the most privileged execution mode of the x86 processor. Software System Management Interrupt (SWSMI) handlers are used by software to call on BIOS functions that reside within the SMM. A vulnerability has been identified in one of the SWSMI handlers in the BIOS code from American Megatrends Inc. (AMI) used on some Lenovo systems. This could allow a malicious attacker with administrative access to execute code in the SMM and bypass some BIOS security mechanisms and install software with bootkit functionality. Mitigation Strategy for Customers (what you should do to protect yourself): Update your BIOS level to the latest version by following the instructions in the readme file. This issue only affects Lenovo products with BIOS firmware from AMI. Brands not listed, such as ThinkPad, do not use AMI firmware and are not affected by this vulnerability. Lenovo thanks Bruno Pujos of Sogeti ESEC R&D for reporting this issue.[…]

More info:




CVE-2016-8226, Lenovo UEFI DoS

CVE Identifier: CVE-2016-8226
Access Vector: Network exploitable
Access Complexity: Low
Original release date: 01/26/2017

The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.


Lenovo Security Advisory: LEN-11306
Denial of service attack on Lenovo System X M5, M6, and X6 systems
A vulnerability was identified in the BIOS of Lenovo System X M5, M6, and X6 systems. An attacker with administrative access to a system can cause a denial of service attack on the system by updating a UEFI data structure. After this occurs, the system will not complete POST (Power-On Self-Test) , hang at the Lenovo splash screen, and fail to boot. This issue was inadvertently encountered in an update to Microsoft Windows Server 2012, Windows Server 2012R2 and Windows Server 2016 (see https://support.lenovo.com/us/en/solutions/ht502912 for details). However, systems running any operating system are vulnerable. Lenovo strongly recommends installing this update. Mitigation Strategy for Customers (what you should do to protect yourself):[…]




Lenovo’s Think BIOS Config Tool




Some related Lenovo BIOS tools:

[I confess still not understanding what this “BIOS to UEFI” thing that Windows admin tools now have. Is it switching from Legacy to UEFI firmware then redoing the OS bits to handle that? Why are these boxes using Legacy  mode in the first place? Oh well.]



Lenovo XClarity

Apparently Lenovo’s XClarity Administrator software uses the Redfish API:

“Lenovo XClarity is a fast, flexible, and scalable hardware systems management application that enables administrators to deploy infrastructure faster and with less effort. This video provides a brief overview of XClarity Administrator, VMware Integration, the XClarity Mobile App, and new features supporting extended management of storage and network switches.”

Here’s a Lenovo video showing the tech:


Lenovo BIOS to UEFI


“Lenovo BIOS to UEFI TS Converter with CG/DG Prep: Allows you to configure SecureBoot/UEFI settings, as well as Virtualization Technology and TPM for Credential Guard and Device Guard. This script is designed to work on both ThinkPad and ThinkCentre machines. This script connects to the WMI instances for Lenovo machines, and then configures the requested settings. This script is designed to be used as part of a task sequence where you want to convert from legacy BIOS to UEFI and at the same time prepare the machine for Credential Guard and Device Guard.”


New UEFI RNG tool

Finnbarr P. Murphy has a new UEFI tool that checks your firmware for RNGs, and it sounds like he’s found some Lenovo Thinkpad errors with it:

[…] Here is a small UEFI shell utility that checks your firmware for available RNGs: […] I built the utility on a 64-bit Fedora 24 platform using GCC and UDK2015. I have not tried building a 32-bit utility nor have I build it using Visual Studio or other development frameworks – so do not be surprised if you have modify either the code or the build recipe in these cases. I tested the utility on a Lenovo T450 using firmware version JBET60WW (1.24) and was surprised to find that the firmware did not appear to support any RNGs as evidenced by the zero RNG algorithm count returned. However, by explicitly, testing for the default RNG if the count was zero, it was possible to determine that the T450 did in fact at least support the default RNG. Perhaps, I am not parsing the UEFI specification correctly but I would expect the RNG count returned by GetInfo to include the default RNG. Interestingly, when I build and load the UDK2015 test RNG DXE driver which contains a reference counter mode DRBG (Deterministic Random Bit Generator) conforming to NIST SP 800-90a, the algorithm count returned by GetInfo jumps to 2. This leads me to suspect that their is a bug in the firmware w.r.t. to the RNG protocol implementation. Please let me know if I am incorrect in my assumptions or observations.