The standard operator configurations disable signature checking, this means that some Server x BIOS/UEFI versions do not properly authenticate signed code before booting it.
“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.” reads the security advisory.
“Lenovo ships these systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment, and standard operator configurations disable signature checking.”
An attacker can exploit the vulnerability to execute unauthenticated code at the bootstrap of the affected system. The CVE-2017-3775 vulnerability impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.
Lenovo disclosed the complete list of impacted products and provided the related BIOS/UEFI update, it also explained that they ship with Secure Boot disabled by default.
Lenovo also issued a patch to address the CVE-2018-9063 buffer overflow in Lenovo System Update Drive Mapping Utility. -The flaw could be exploited by attackers for different kind of attacks, include the execution of arbitrary code on the target machine.
“MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) contains a local vulnerability where an attacker entering very large user ID or password can overrun the program’s buffer, causing undefined behaviors, such as execution of arbitrary code.” reads the security advisory.
“No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.”
The flaw could be easily exploited by an attacker entering very large user ID or password in order to overrun the program’s buffer. The attacker could potentially execute code with the MapDrv’s privileges.
Users need to update the application to Lenovo System Update version 5.07.0072 or later.
Users can launch Lenovo System Update to automatically checks for newer versions and accept the update if present, otherwise it is possible to manually update the application downloading the latest app version from the company website.
(Security Affairs – Lenovo System Update, CVE-2017-3775)