Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that in some cases may be impossible to remove or detect.
Three vulnerabilities affecting more than a million laptops can give hackers the ability to modify the computer’s UEFI. short for Unified Extended Software InterfaceUEFI is the software that connects a computer’s firmware to its operating system. As the first piece of software that runs when you turn on almost any modern device, it’s the initial link in the security chain. Because UEFI is embedded in a flash chip on the motherboard, infection is difficult to detect and even difficult to remove.
Oh no
Two vulnerabilities – traced as CVE-2021-3971 and CVE-2021-3972 – exist in UEFI firmware drivers that are intended for use only during the manufacturing process of Lenovo consumer laptops. Lenovo engineers inadvertently included drivers in production BIOS images without properly deactivating it. Hackers can exploit buggy drivers to disable protections, including UEFI Secure Boot, BIOS control registry bits, and the Protected Range registry, which are stored in serial terminal interface (SPI) and designed to prevent unauthorized changes to the firmware it is running.
After discovering and analyzing the vulnerabilities, researchers from the security company ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when the device is put into system administration mode, a highly privileged operating mode typically used by hardware manufacturers for low-level system management.
Trammell Hudson, a security researcher who specializes in firmware hacking, told Ars: “Based on the description, these are all good types of attacks” Oh no “For advanced attackers enough. “Bypassing flash SPI permissions is a very bad thing.”
He said the risk might be reduced by protections like BootGuard, which is designed to prevent unauthorized people from running malicious firmware during the boot process. Then again, researchers have in the past discovered critical vulnerabilities that compromise BootGuard. they include triple defects It was discovered by Hudson in 2020 that prevented protection from working when the computer came out of sleep mode.
Crawl into the mainstream
While still rare, so-called SPI implants are becoming increasingly common. One of the internet’s biggest threats – a piece of malware known as Trickbot – began in 2020 incorporating a driver into its code base that allows people to Write firmware into almost any device. The only other two documented cases of malicious UEFI firmware used in the wild are LOJAXwhich was written by a Russian government hacker group known by various names, including Sednit, Fancy Bear or APT 28. The second case was UEFI malware used by the security company Discover Kaspersky on the computers of diplomatic personalities in Asia.
The three Lenovo vulnerabilities discovered by ESET require local access, which means that the attacker must already have control of the vulnerable device with unrestricted privileges. The barrier to this type of access is high and would likely require exploiting one or more other critical vulnerabilities elsewhere that would already put the user at great risk.
However, the vulnerabilities are dangerous because they can infect vulnerable laptops with malware that far exceeds what is usually possible with traditional malware. Lenovo has a list here From over 100 affected models.