Lenovo has issued a security advisory regarding three security vulnerabilities found on several laptops. The flaws affect more than 100 Lenovo laptop models, spanning the company’s IdeaPad, Legion, and Yoga portfolios. Using the vulnerabilities, an attacker could potentially disable the Unified Extensible Firmware Interface (UEFI) Secure Boot feature and execute arbitrary code on the laptop. The manufacturer has advised users with affected laptop models to update to the latest firmware for these devices from its official website in order to remain protected.
Three vulnerabilities have been discovered by ESET researchers and affect the UEFI Secure Boot feature, which is designed to authenticate and load trusted code when the laptop is booted. They were responsibly disclosed by the researchers to Lenovo in October 2021. The vulnerabilities were confirmed by the company in November and assigned three CVEs (Common Vulnerabilities and Exposures): CVE-2021-3970, CVE-2021-3971, and CVE- 2021. -3972, and a security advisory was published by the manufacturer on Monday.
According to ESET, which has published a detailed technical analysis of the security vulnerabilities, two of the vulnerabilities – CVE-2021-3971 (SecureBackDoor) and CVE-2021-3972 (ChgBootDxeHook), were introduced by the company after two UEFI firmware drivers were accidentally installed. the firmware are included. These drivers are only used in the manufacturing of the laptop and can be exploited by attackers to disable the UEFI Secure Boot feature and disable protection for the flash memory chip that stores the UEFI firmware. Security software and other solutions on the operating system cannot detect these threats because they run early in the boot process – before the operating system has loaded.
To evade all of Secure Boot’s security features, UEFI threats, such as those discovered by ESET, disable the secure mechanisms designed to load trusted code. According to the researchers, all UEFI threats discovered in the wild, including LoJax, MosaicRegressor, MoonBounce, ESPecter, and FinSpy, were able to circumvent these mechanisms to execute their malicious code. Similar security flaws were also discovered in HP firmware, published by SentinelOne last month.
The researchers also found a third security flaw – or CVE-2021-3970 (LenovoVariableSmm), which could lead to arbitrary code execution in system management RAM (or SMRAM), with elevated privileges. In some cases, it can be used to activate the ChgBootDxeHook driver to disable the UEFI Secure Boot feature, ESET researchers said. All three vulnerabilities discovered require the attacker to have local access to the device, but it’s worth noting that Lenovo rated the flaws a “Medium” severity level in its advisory.
More than 100 consumer laptop models used by millions of users are affected by the security flaws, according to the researchers. Users who own devices that have active development support can download the latest firmware update for their laptop from Lenovo’s Advisory website. However, several other affected devices will not be repaired as they have reached End of Development Support (EODS). However, these users can use TPM-aware full disk encryption to make disk data inaccessible if the UEFI Secure Boot configuration is changed, the ESET researchers said.