Security provider ESET issues a security warning: Dangerous UEFI vulnerabilities discovered in Lenovo notebooks. Lenovo laptop owners should review the affected devices list and update their firmware according to the manufacturer's instructions.
Millions of Lenovo users should update the firmware of their devices as soon as possible - this is the urgent recommendation of the European IT security manufacturer ESET. Researchers from the company discovered three dangerous vulnerabilities on the devices that open the floodgates to attackers on the laptops. For example, highly dangerous UEFI malware such as Lojax or ESPecter could be smuggled in via the security leaks. The Unified Extensible Firmware Interface (UEFI) is the firmware of the mainboard and is so valuable for cybercriminals because it allows them to read and manipulate hardware information during operation. Since UEFI starts before the operating system, it is possible to implement resistant malware here. Overall, the threat list includes more than 100 different models from the manufacturer Lenovo. A list of all devices can be found online at Lenovo. There are, for example, many IdeaPad and Yoga Slim models.
Install updates immediately or use TPM solution
ESET researchers advise all Lenovo laptop owners to check the list of affected devices and update their firmware according to the manufacturer's instructions. If devices no longer receive manufacturer updates and are affected by the UEFI SecureBootBackdoor (CVE-2021-3970), the experts recommend using a Trusted Platform Module solution for full disk encryption. Thus, the hard drive data is inaccessible when the UEFI Secure Boot configuration is changed.
“UEFI malware can go unnoticed for a long time and poses an immense threat potential. The malicious programs are executed early in the boot process, before the operating system starts. This means that they bypass almost all security measures and higher-level limitations against malicious code," says ESET researcher Martin Smolár, who discovered the vulnerabilities. “Our discovery of these UEFI backdoors shows that in some cases, deploying these specific threats is not as difficult as expected. The larger number of UEFI threats found in recent years suggests that attackers are aware,” he adds. "All UEFI threats discovered in recent years, such as LoJax, MasaicRegressor, MoonBounce, ESPecter or Finspy, had to bypass or disable security mechanisms in some way."
"Secure" backdoors disables UEFI Secure Boot functionality
The first two of these vulnerabilities (CVE-2021-3970, CVE-2021-3971) are referred to as "secure" backdoors built into the UEFI firmware. The reason for this designation is the names given to Lenovo's UEFI drivers that implement one of these vulnerabilities (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protection (BIOS control register bits and protection range registers) or UEFI Secure Boot feature from a privileged user mode process while the operating system is running.
In addition, examining the binaries of the "safe" backdoors revealed a third vulnerability (CVE-2021-3972). This allows for arbitrary read/write access to/from System Management RAM (short: SMRAM), which can lead to the execution of malicious code with higher privileges.
What is UEFI?
The Unified Extensible Firmware Interface (UEFI) is the term for the firmware of the mainboard and is therefore an important part of the interface between the hardware and software of a computer, especially when booting. UEFI replaced the previous BIOS (Basic Input/Output System) and can communicate better with modern hardware. The big advantages include, on the one hand, the significantly faster speed when booting the system, and, on the other hand, the support of hard disks with larger capacities.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.