Researchers at cyber security company ESET have discovered three vulnerabilities that affect Lenovo laptops and could lead to the execution of malware through a bypassing of UEFI Secure Boot.
More than 100 different Lenovo laptop models and millions of users are thought to be vulnerable to the UEFI threats, ESET said, and patches aren’t available for all those who may be affected.
A number of the laptops that are vulnerable to the attacks have reached end of life and are not supported with official updates. In these cases, ESET recommends users deploy an anti-malware product that scans for UEFI threats and uses a TPM-aware full-disk encryption product to make the disk inaccessible.
Of the three total vulnerabilities in question, two of them tracked as CVE-2021-3971 and CVE-2021-3972, affect UEFI firmware drivers that were mistakenly left in the final production devices, and their BIOS images, after originally only supposed to be included during the manufacturing process.
Both drivers “immediately” caught the attention of the ESET researchers since they were named SecureBackDoor and SecureBackDoorPeim.
Attackers could use these vulnerabilities to disable flash memory protections and UEFI Secure Boot to deploy UEFI malware on targeted machines, ESET said.
UEFI malware is not a new phenomenon but has seen several high-profile exploits in recent years such as Lojax in 2018, and ESPecter and MoonBounce in 2021. These types of attacks can be difficult to trace since the malware is stored in flash memory, leaving a small footprint.
The exploits are also becoming more advanced with the likes of ESPecter being only the second ever real-world case of a UEFI bootkit persisting on the EFI System Partition. The first example of this is thought to be FinSpy, also discovered in 2021 by Kaspersky.
Lenovo has released a wide range of patches that can be downloaded from its website and advisory page. It lists all affected devices and to what security issues they are vulnerable, though some devices are still awaiting patches for specific CVEs. In these cases, Lenovo has provided an estimated availability date.
The third and final vulnerability tracked as CVE-2021-3970, is a vulnerability in the LenovoVariable SMI Handler - a component responsible for detecting and logging system errors - that could allow an attacker with local access and elevated privileges to execute arbitrary code.
Cyber security experts have responded to the announcement heeding the warnings of ESET and Lenovo, agreeing that the vulnerabilities could be potentially dangerous, though not in the average security team’s threat model.
“These Lenovo UEFI vulnerabilities are not in your average threat model,” said security threat analyst Martijn Grooten. “But if privilege escalation from admin to worse is in your threat model this is kind of bad.”
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
