lenovo
Lenovo has released security updates for over 100 laptop models to address critical vulnerabilities that allow advanced hackers to surreptitiously install malicious firmware that can be nearly impossible to remove or, in some cases, to detect.
Three vulnerabilities affecting more than a million laptops can give hackers the ability to modify a computer’s UEFI. short for Unified Firmware Extensible InterfaceUEFI is the software that links a computer’s device firmware to its operating system. As the first software to run when virtually any modern machine is turned on, it’s the first link in the security chain. Since UEFI resides on a flash chip on the motherboard, infections are hard to detect and even harder to remove.
Oh no
Two of the vulnerabilities, identified as CVE-2021-3971 and CVE-2021-3972, reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer laptops. Lenovo engineers inadvertently included the drivers in production BIOS images without properly disabling them. Hackers can exploit these faulty drivers to disable protections, including UEFI Secure Boot, BIOS control register bits, and protected range register, that are built into the serial peripheral interface (SPI) and designed to prevent unauthorized modifications to the firmware it runs.
After discovering and analyzing the vulnerabilities, researchers from security firm ESET discovered a third vulnerability, CVE-2021-3970. It allows hackers to execute malicious firmware when a machine is put into system administration mode, a high-privilege operating mode often used by hardware manufacturers for low-level system administration.
“Based on the description, these are all sorts of rather ‘oh no’ attacks for sufficiently advanced attackers,” Ars Trammel Hudson, a security researcher specializing in firmware hacks, told Ars Trammel Hudson. “Ignoring SPI flash permissions is bad enough.”
He said the severity can be mitigated with protections like BootGuard, which is designed to prevent unauthorized people from running malicious firmware during the boot process. Once again, previous researchers have discovered critical vulnerabilities that subvert BootGuard. They include a trio of flaws discovered by Hudson in 2020 that prevented protection from working when a computer resumed from sleep mode.
Slip into the mainstream
Although still rare, so-called SPI implants are becoming increasingly common. One of the biggest Internet threats, the malware known as Trickbot, started in 2020 to embed a driver into its codebase that allows users to write firmware to virtually any device. The only other two documented cases of malicious UEFI firmware being used in the wild are Lojaxwhich was written by the Russian state hacker group known by many names, including Sednit, Fancy Bear or APT 28. The second example was the UEFI malware that the security firm Kaspersky discovered in the computers of diplomatic personalities in Asia.
The three Lenovo vulnerabilities discovered by ESET require local access, which means that the attacker must already control the vulnerable machine with unlimited privileges. The bar for this type of access is high and would likely require the exploitation of one or more critical vulnerabilities elsewhere that would already put the user at risk.
Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes far beyond what’s normally possible with more conventional malware. Lenovo has a list here of more than 100 models in question.
“Pop culture fanatic. Introvert. Devoted food trailblazer. Bacon geek. Lifelong coffee evangelist.”