IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability

Mistakenly used drivers could allow hackers to modify the secure boot process

The Lenovo logo on a laptop, against a black background

Lenovo has released patches to address two vulnerabilities that could have allowed cyber criminals to run malicious code through the deactivation of UEFI Secure Boot.

Researchers at ESET first discovered the vulnerabilities, tracked as CVE-2022-3430 and CVE-2022-3431, which, if exploited, could lead to threat actors circumventing the basic security functions of a victim’s operating system (OS). These bugs carry a severity rating of ‘high’.

Related Resource

Five common data security pitfalls

Learn how to improve your security posture

Dark shaded blue whitepaper cover with titleFree Download

The vulnerabilities affect 25 devices across the ThinkBook, Yoga and IdeaPad ranges in total, although not all these devices are affected by both vulnerabilities. As these devices are heavily used in business settings, employees could be adversely affected by the flaw and potentially sustain damage to sensitive data.

The flaw, which sits within a driver in the affected devices, allows for attackers to alter a variable in non-volatile random access memory (NVRAM) to modify the secure boot setting of a device. This was not due to an error in the code of the affected drivers, but rather because the affected devices were mistakenly equipped with drivers intended for use only during manufacturing, with relaxed control over secure boot settings from within the OS.

UEFI flaws are severe, as they allow for threat actors to alter critical device processes, and potentially install malware within the victim’s flash memory. For example, threat actors could use such a flaw to install a rootkit, which could carry out malicious activity while remaining very hard to detect, and can even survive OS reinstallation.

“Secure boot is built on a hierarchy of trust typically rooted in technologies fixed in the hardware of a device,” Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester.

“Such systems are used to ensure that despite any exploitation of a vulnerability during the normal operation of a system it can be recovered through a reboot. It is therefore essential that by design, the secure boot of a system cannot be altered while in normal operation. Unfortunately, all software should be considered to contain vulnerabilities, and therefore it’s essential that during normal operation no mechanisms can circumvent secure boot.  

“Although a move to using digital secure by design execution of software will significantly reduce the opportunity to exploit vulnerabilities, any mechanism in which an exploitation of normal operations can take control of secure boot means they are open to ransomware and other denial of service attacks and highlights the need for trust across the various components of secure boot.”

The Ideapad Y700-14ISK is affected by a third vulnerability, tracked as CVE-2022-3432, which comprises another driver flaw that results in a similar modification of the secure boot sweating. However, Lenovo will not release a fix for this as the device has exceeded its developer support lifecycle.

This is not the first time that Lenovo has had to release such a patch. In April, ESET researchers discovered more than 100 Lenovo models vulnerable to UEFI malware attacks, also as a result of manufacturing drivers mistakenly left on the devices.

Similar concerns have been raised in the past, with Dell BIOS vulnerabilities found in 2021 enabling threat actors to execute malicious code at UEFI level on an estimated 30 million devices, and researchers from Advanced Intelligence and Eclypsium having found a variant of the Trickbot malware that can brick devices at UEFI level in 2020. 

ESET recommends that those using the affected devices update their firmware version immediately.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Lenovo ThinkPad Z13 Gen 1 review: A ThinkPad for the mainstream
Laptops

Lenovo ThinkPad Z13 Gen 1 review: A ThinkPad for the mainstream

26 Sep 2022
Lenovo ThinkPad X1 Carbon Gen 10 review: Quite simply the best compact business laptop
Laptops

Lenovo ThinkPad X1 Carbon Gen 10 review: Quite simply the best compact business laptop

30 Aug 2022
Lenovo expands its Evolve Small support initiative to cover all minority-led SMBs
SMB

Lenovo expands its Evolve Small support initiative to cover all minority-led SMBs

23 Aug 2022
IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe
Security

IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe

22 Apr 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022