In October 2021, ESET notified Lenovo of all detected vulnerabilities. The list of affected devices includes more than a hundred different laptop models that affect millions of users worldwide.
These vulnerabilities could allow an attacker to install code that attacks UEFI (the successor to the BIOS), such as LoJax for SPI Flash Memoryor related to the UEFI bootkit that has just been discovered ESPecter malware.
UEFI pests can be extremely insidious and dangerous. These start working at the beginning of the boot process before handing over control to the operating system, which means that they can circumvent many of the security measures that run at the operating system level, said ESET researcher Martin Smolár, who discovered the vulnerabilities. Their discovery shows that in some cases, the unnoticed deployment of UEFI pests is unfortunately not as difficult as it has been seen before, and the growing number of new UEFI threats discovered in recent years suggests that attackers are taking advantage of this as well.
All previous UEFI threats discovered in recent years — LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy — had to bypass or disable security mechanisms before they could be installed and implemented.
UEFI’s boot and operation services provide the basic functions and data structures needed to run drivers and applications, such as installing various protocols, searching for existing protocols, or allocating memory. The first two vulnerabilities, CVE-2021-3971, CVE-2021-3972, affect UEFI firmware drivers that were originally used only in the manufacturing process of Lenovo notebooks.
Unfortunately, they were also included in the manufacturing BIOS by mistake without being properly deactivated. In addition, during the scan, ESET discovered a third vulnerability: SMM (System Management Mode) corruption.
This vulnerability could allow unauthorized reading / writing of SMRAM, which could lead to malicious code execution. Possession of SMM privilegesand allows you to install malicious modules on SPI flash.
Unfortunately, due to the large number of different firmware implementations and their complexity, similar vulnerabilities that are currently undiscovered are likely to emerge in the future. The researchers ESET English WeLiveSecurity BlogLenovo laptop owners are strongly advised to review the list of affected devices and update their firmware immediately following the manufacturer’s instructions.
–
