Three vulnerabilities have been found and fixed across more than 100 laptop models from Lenovo, affecting a total of more than one million laptops. It was possible to install custom firmware, which was almost impossible to detect and remove. This is because the uefi or bios is stored on a separate chip on the motherboard and is the first software to run on boot.
CVE-2021-3971 and CVE-2021-3972 are part of the uefi drivers that should only be used in the production process. These were incorrectly disabled and ended up in the final bios image. Hackers can use these drivers to inadvertently modify the firmware, to disable Secure Boot and change control bits in the Serial Peripheral Interface or SPI, among other things.
After analyzing these two vulnerabilities, researchers from IT security firm ESET found a third vulnerability. CVE-2021-3970 allows hackers to run custom firmware in system administration mode. This is a highly privileged mode normally used by manufacturers for low-level management.
Based on the disclosure, Trammel Hudson, a security researcher specializing in firmware hacks, says the potential attacks are serious. However, the attacker must have the necessary knowledge and skills. Protections like BootGuard, which is supposed to protect the boot process from malicious firmware, can be effective. In the past, there were critical vulnerabilities that bypassed these protections.
All three vulnerabilities require local access, and an attacker must have control over the device to exploit this vulnerability. This usually requires another vulnerability to enter the system. Lenovo has released a list of affected models and is asking owners to update to the latest firmware version as soon as possible. Instructions on this can also be found in the message. Models that have not yet been corrected are targeted to be available on May 10, 2022.
ESET’s Martin Smolár thanked him for reporting the vulnerabilities. Lenovo shared a statement with Hardware Info (translated):
Lenovo would like to thank ESET for bringing to our attention an issue with the drivers used in the manufacture of some consumer laptops. Drivers are fixed and customers who update as described in the Lenovo advisory are protected. Lenovo is open to working with BIOS researchers and is increasing its investment in BIOS security to ensure our products continue to meet or exceed industry standards.
Source: Ars Technica
Source: Hardware Info
