ESET warns of three flaws that affect over 100 Lenovo notebook models

Lenovo warns of vulnerabilities in its Unified Extensible Firmware Interface (UEFI) shipped with at least 100 notebook models.

Lenovo has published a security advisory to warn customers of vulnerabilities that affect its Unified Extensible Firmware Interface (UEFI) loaded on at least 100 of its notebook models, including IdeaPad 3, Legion 5 Pro-16ACH6 H, and Yoga Slim 9-14ITL05.

“The following vulnerabilities were reported in Lenovo Notebook BIOS.” reads the advisory published by Lenovo.

• “CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
• CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
• CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.”

The three flaws were reported by ESET researchers to Lenovo in October.

Two vulnerabilities, tracked as CVE-2021-3971 and CVE-2021-3972, can be exploited by an attacker to disable the protection for the SPI flash memory chip and turn off the UEFI Secure Boot feature.

The Secure boot is a security standard developed by members of the PC industry to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).

The third vulnerability, tracked as CVE-2021-3970, can be exploited by a local attacker to execute arbitrary code with elevated privileges.

The vulnerabilities affecting the Lenovo UEFI result from the use of two UEFI firmware drivers, named SecureBackDoor and SecureBackDoorPeim respectively. Both drivers are used only during the manufacturing process.

“ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks.” reads the advisory published by ESET. “Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated.”

The researchers pointed out that UEFI vulnerabilities are very insidious because they could be exploited by threat actors to deploy stealthy implants that are able to bypass security protections that operate at the OS level.

“All of the real-world UEFI threats discovered in recent years (LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy) needed to bypass or disable the security mechanisms in some way in order to be deployed and executed. However, only in the case of LoJax, the first in-the-wild UEFI rootkit (discovered by ESET Research in 2018), do we have a clue how it was done – by using the ReWriter_binary capable of exploiting the Speed Racer vulnerability.” concludes ESET. “Our discovery, together with the above-mentioned ones, demonstrates that in some cases, deployment of UEFI threats might not be as difficult as expected, and the larger number of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this.”

Owners of impacted Lenovo laptops should update their firmware following the manufacturer’s instructions, Lenovo published the full list of impacted notebook models.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lenove)

[adrotate banner=”5″]

[adrotate banner=”13″]