According to researchers at ESET have discovered that over 100 Lenovo laptop models have bugs in their UEFI BIOS firmware that allow threat actors to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer:
ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.
This was reported to Lenovo and a security advisory has been put out with the following advice:
Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
The list isn’t small as it has over 100 notebooks on it. But if your Lenovo notebook is on that list, you need to update your BIOS firmware ASAP because now that this is out there, threat actors will be trying to pwn all they can before updates are widely installed.
Related
This entry was posted on April 19, 2022 at 9:19 am and is filed under Commentary with tags Lenovo. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Users Of Lenovo Laptops Need To Update Their BIOS Firmware ASAP To Avoid Getting Pwned
According to researchers at ESET have discovered that over 100 Lenovo laptop models have bugs in their UEFI BIOS firmware that allow threat actors to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer:
ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.
This was reported to Lenovo and a security advisory has been put out with the following advice:
Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
The list isn’t small as it has over 100 notebooks on it. But if your Lenovo notebook is on that list, you need to update your BIOS firmware ASAP because now that this is out there, threat actors will be trying to pwn all they can before updates are widely installed.
Share this:
Like this:
Related
This entry was posted on April 19, 2022 at 9:19 am and is filed under Commentary with tags Lenovo. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.