Researchers have discovered three vulnerabilities affecting various Lenovo consumer laptop models. The vulnerabilities were found in UEFI firmware drivers originally meant to be used only during the manufacturing process, along with a vulnerability in the SW SMI handler function.
The list of affected devices contains more than one hundred different laptop models with millions of users worldwide. Following responsible disclosure of the problem in October 2021, Lenovo issued firmware updates to patch these vulnerabilities on April 12, 2022.
UEFI is a specification that defines a software interface between an operating system and platform firmware. In other words, it is the link between a computer’s firmware—software that is hard-coded into the computer hardware—and the operating system (OS).
UEFI is short for Unified Extensible Firmware Interface and was designed to replace a system that involved the MBR (Master Boot Record), which worked in tandem with the BIOS (Basic Input-Output System) to achieve the bootstrap process that gets a computer up and running. UEFI replaces both the BIOS and does away with the MBR altogether.
Because of the way firmware is programmed into hardware, it is typically harder to update than software that is installed on the machine, such as the OS and applications. Updating firmware is sometimes referred to as “flashing”, because it requires removing the old instructions and then writing the new ones. Mistakes in this process can end up bricking a device.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that were found and patched.
CVE-2021-3970 is a vulnerability in the LenovoVariable System Management Interrupt Handler due to insufficient validation. In some Lenovo Notebook models this may allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971 is a vulnerability caused by a driver used during older manufacturing processes. On some consumer Lenovo Notebook devices this driver was mistakenly included in the BIOS image which could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
CVE-2021-3972 is a vulnerability caused by a driver used during the manufacturing process. On some consumer Lenovo Notebook devices this driver was mistakenly not deactivated and may allow an attacker with elevated privileges to modify secure boot settings by modifying an NVRAM variable.
Secure Boot is an option in UEFI that allows you to make sure that your PC boots using only software that is trusted by the PC manufacturer.
The first vulnerability is a case of memory corruption in the firmware’s System Management Mode (SMM), which allows malicious code to run with the highest privileges.
Successful exploitation of the last two vulnerabilities could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots.
To exploit these vulnerabilities an attacker would already need elevated privileges. To our knowledge there have been no instances of exploitation in the wild.
The drivers immediately caught the attention of the researchers by their very unfortunate—but surprisingly honest—names:
Leaving a backdoor on a system is undoubtedly not good. But we think it is safe to assume that this was done by mistake. And mistakes happen where humans work. And when mistakes happen, we need to learn to correct them and move forward. And given the amount of affected models, Lenovo was relatively quick to come up with updates for all of them in just a few months.
Update the system firmware to the version (or newer) indicated for your model in the Product Impact section of this page.
In addition to the models listed in the advisory, several other devices were reported to Lenovo as being affected, but these won’t be fixed due to them reaching End Of Development Support (EODS). According to the researchers, one thing that can help you protect against unwanted modification of the UEFI Secure Boot state is using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes.
The TPM (Trusted Platform Module) is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.
Stay safe, everyone!