Lenovo patches UEFI firmware vulnerabilities | Pentest7

top cybersecurity companies

ESET has discovered and reported the following three vulnerabilities in the Lenovo notebook BIOS. CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models could allow an attacker with local access and elevated privileges to run arbitrary code. CVE-2021-3971: A potential vulnerability caused by a driver used during legacy manufacturing processes on some Lenovo consumer notebook devices being incorrectly included in the BIOS image could allow an elevated attacker to exploit the firmware Change protection scope by modifying an NVRAM variable. CVE-2021-3972: A potential vulnerability in a driver used during the manufacturing process on some Lenovo consumer notebook devices, which was incorrectly not disabled, could allow an elevated attacker to exploit Secure Boot settings modifying an NVRAM variable.

The backdoors are Lenovo’s own and should only be accessible during the manufacturing process. Due to an error, however, they were included in the BIOS images that were delivered to customers. These affected firmware drivers can be exploited by attackers to disable SPI flash protection (BIOS control register bits and protected range registers) or the UEFI Secure Boot feature from a privileged user mode process during the runtime of the operating system to be deactivated directly. Exploiting these vulnerabilities would allow attackers to deploy and successfully run SPI flash or ESP implants such as LoJax or the recent Unified Extensible Firmware Interface (UEFI) malware discovery ESPecter on the affected devices.

In UEFI cyber attacks, malicious operations are loaded onto a compromised device early in the boot process. This means that the malware can manipulate configuration data, get stuck and possibly bypass security measures that are not loaded until the operating system phase.

On Tuesday, ESET stated that the vulnerabilities affect “more than a hundred different laptop models with millions of users worldwide” and are caused by drivers intended only to be used during Lenovo’s product development phase.

The list of affected products includes IdeaPads, Legion gaming machines, and Flex and Yoga laptops.

The first vulnerability, CVE-2021-3970, affects the SW SMI handler function. This SMM memory corruption issue, caused by improper input validation, allows attackers to read/write SMRAM, which in turn could allow execution of malicious code with SMM privileges and implementation of SPI flash implants.

“SMM is a highly privileged execution mode of x86 processors,” the researchers explain. “SMM code is written in the context of the system firmware and is typically used for a variety of tasks, including advanced power management, execution of OEM proprietary code, and secure firmware updates. It provides an independent execution environment that is completely invisible to the running operating system.”

The other two vulnerabilities, CVE-2021-3971 and CVE-2021-3972, are related to drivers named SecureBackDoor and SecureBackDoorPeim.

Lenovo describes the first vulnerability as “a potential vulnerability through a driver used during legacy manufacturing processes on some Lenovo consumer notebook devices that has been incorrectly included in the BIOS image, which could allow an elevated attacker to [den] Modify firmware protection scope by changing an NVRAM variable”.

The second issue is a “potential vulnerability caused by a driver used on some Lenovo consumer notebook devices during the manufacturing process that was not mistakenly disabled [und] It could allow an elevated attacker to change Secure Boot settings by modifying an NVRAM variable.”

The drivers, when queried by Lenovo software, could be abused to disable Flash Protection and UEFI Secure Boot. Attackers with a high enough privilege level can exploit CVE-2021-3971 to change UEFI firmware settings, and CVE-2021-3972 requires manipulation of NVRAM variables to deploy malicious implants.

ESET reported the three vulnerabilities to Lenovo on October 11, 2021. The vulnerabilities were checked and confirmed in November. Lenovo has since released patches for it.

It is recommended that users patch their firmware immediately. Lenovo has published a notice and alternative workarounds for users who cannot accept the patches at this time.

However, not all devices on the fixes list will be updated as they are legacy products. For devices that are no longer supported, ESET recommends using TPM-enabled disk encryption software to make information inaccessible in case UEFI Secure Boot configurations are tampered with.

“All real-world UEFI threats discovered in recent years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – had to bypass or disable security mechanisms in some way in order to deploy and run,” said ESET researcher Martin Smolár, who developed the discovered vulnerabilities. “Our discovery shows that in some cases, deploying UEFI threats is not as difficult as expected, and the larger number of real-world UEFI threats discovered in recent years indicates that attackers are aware of this.”

Leave a Reply

Your email address will not be published.