Users Of Lenovo Laptops Need To Update Their BIOS Firmware ASAP To Avoid Getting Pwned

According to researchers at ESET have discovered that over 100 Lenovo laptop models have bugs in their UEFI BIOS firmware that allow threat actors to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer:

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.

This was reported to Lenovo and a security advisory has been put out with the following advice:

Update system firmware to the version (or newer) indicated for your model in the Product Impact section.

The list isn’t small as it has over 100 notebooks on it. But if your Lenovo notebook is on that list, you need to update your BIOS firmware ASAP because now that this is out there, threat actors will be trying to pwn all they can before updates are widely installed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: