Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks. Discovered by ESET researchers, the vulnerabilities could be exploited to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter in the Lenovo Notebook BIOS.
The malware can tamper with configuration data, establish persistence, and may be able to bypass security measures that are only loaded at the OS stage.
Lenovo has described the first security flaw as a “potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify [the] firmware protection region by modifying an NVRAM variable.”
The second issue is a “potential vulnerability by a driver used during [the] manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated [and] may allow an attacker with elevated privileges to modify secure boot setting[s] by modifying an NVRAM variable.”
The first vulnerability, CVE-2021-3970, impacts the SW SMI handler function. This SMM memory corruption issue, caused by improper input validation, permits attackers to read/write into SMRAM, which, in turn, could allow malicious code with SMM privileges to execute - and for SPI flash implants to be deployed. The other two vulnerabilities, CVE-2021-3971 and CVE-2021-3972, relate to drivers named SecureBackDoor and SecureBackDoorPeim.
The vulnerabilities impact more than one hundred different consumer laptop models with millions of users worldwide. The impacted product list includes IdeaPads, Legion gaming devices, and both Flex and Yoga laptops.
Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots. It is recommended that users patch their firmware immediately. Lenovo has published an advisory and alternative mitigation options for users who can't accept fixes at this time.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.