Millions of Lenovo laptops thought to be vulnerable to newly discovered UEFI malware attacks

(Image credit: Getty Images)

published 20 April 2022

Researchers at cyber security company ESET have discovered three vulnerabilities that affect Lenovo laptops and could lead to the execution of malware through a bypassing of UEFI Secure Boot.

More than 100 different Lenovo laptop models and millions of users are thought to be vulnerable to the UEFI threats, ESET said, and patches aren’t available for all those who may be affected.

Secure Boot flaws could enable hackers to take control of Dell devices New Trickbot variant can interfere with UEFI and BIOS What is a rootkit?

A number of the laptops that are vulnerable to the attacks have reached end of life and are not supported with official updates. In these cases, ESET recommends users deploy an anti-malware product that scans for UEFI threats and uses a TPM-aware full-disk encryption product to make the disk inaccessible.

Of the three total vulnerabilities in question, two of them tracked as CVE-2021-3971 and CVE-2021-3972, affect UEFI firmware drivers that were mistakenly left in the final production devices, and their BIOS images, after originally only supposed to be included during the manufacturing process.

Both drivers “immediately” caught the attention of the ESET researchers since they were named SecureBackDoor and SecureBackDoorPeim.

Attackers could use these vulnerabilities to disable flash memory protections and UEFI Secure Boot to deploy UEFI malware on targeted machines, ESET said.

UEFI malware is not a new phenomenon but has seen several high-profile exploits in recent years such as Lojax in 2018, and ESPecter and MoonBounce in 2021. These types of attacks can be difficult to trace since the malware is stored in flash memory, leaving a small footprint.

The exploits are also becoming more advanced with the likes of ESPecter being only the second ever real-world case of a UEFI bootkit persisting on the EFI System Partition. The first example of this is thought to be FinSpy, also discovered in 2021 by Kaspersky.

Lenovo has released a wide range of patches that can be downloaded from its website and advisory page. It lists all affected devices and to what security issues they are vulnerable, though some devices are still awaiting patches for specific CVEs. In these cases, Lenovo has provided an estimated availability date.

The third and final vulnerability tracked as CVE-2021-3970, is a vulnerability in the LenovoVariable SMI Handler - a component responsible for detecting and logging system errors - that could allow an attacker with local access and elevated privileges to execute arbitrary code.

Cyber security experts have responded to the announcement heeding the warnings of ESET and Lenovo, agreeing that the vulnerabilities could be potentially dangerous, though not in the average security team’s threat model.

“These Lenovo UEFI vulnerabilities are not in your average threat model,” said security threat analyst Martijn Grooten. “But if privilege escalation from admin to worse is in your threat model this is kind of bad.”

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.