Lenovo Statement on Lenovo Service Engine (LSE) BIOS

In the April – May timeframe, Lenovo made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability that was discovered and brought to its attention by an independent security researcher, Roel Schouwenberg. In coordination with Mr. Schouwenberg and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumer Notebook and Desktop. Lenovo always strongly recommends that users update their systems with the latest BIOS firmware. Starting in June, the new BIOS firmware has been installed on all newly manufactured Lenovo consumer notebook and desktop systems.

The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs.  Think-brand PCs are unaffected.  Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.

As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo’s use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems.  It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.

LSE was shipped on some Lenovo-branded notebook systems running Windows 7, 8 and 8.1 and desktop systems running Windows 8 and 8.1 as listed below.  The software does not come loaded on any Think-branded PCs.

List of affected Lenovo Products:

Lenovo Notebook

  •         Flex 2 Pro 15 (Broadwell)
  •         Flex 2 Pro 15 (Haswell)
  •         Flex 3 1120
  •         Flex 3 1470/1570
  •         G40-80/G50-80/G50-80 Touch
  •         S41-70/U41-70
  •         S435/M40-35
  •         V3000
  •         Y40-80
  •         Yoga 3 11
  •         Yoga 3 14
  •         Z41-70/Z51-70
  •         Z70-80/G70-80

Lenovo Desktop
World Wide

  •         A540/A740
  •         B4030
  •         B5030
  •         B5035
  •         B750
  •         H3000
  •         H3050
  •         H5000
  •         H5050
  •         H5055
  •         Horizon 2 27
  •         Horizon 2e(Yoga Home 500)
  •         Horizon 2S
  •         C260
  •         C2005
  •         C2030
  •         C4005
  •         C4030
  •         C5030
  •         X310(A78)
  •         X315(B85)

Lenovo Desktop
China Only

  •         D3000
  •         D5050
  •         D5055
  •         F5000
  •         F5050
  •         F5055
  •         G5000
  •         G5050
  •         G5055
  •         YT A5700k
  •         YT A7700k
  •         YT M2620n
  •         YT M5310n
  •         YT M5790n
  •         YT M7100n
  •         YT S4005
  •         YT S4030
  •         YT S4040
  •         YT S5030

Source link

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.