Lenovo's support division has published an advisory that outlines three vulnerabilities affecting its laptop computers. All of them could allow an attacker to gain elevated privileges by one means or another. Over 100 Lenovo laptop models are affected by these vulnerabilities, which ESET researchers first discovered. Thankfully, Lenovo says it has system firmware updates ready or on the way to mitigate these new security issues.
Three CVE identifier codes and descriptions were shared by Lenovo, setting out the potential for mischief if left unpatched:
|
CVE identifier |
Description |
|---|---|
|
CVE-2021-3970 |
A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code. |
|
CVE-2021-3971 |
A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable. |
|
CVE-2021-3972 |
A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable. |
According to the security researchers at ESET, CVE-2021-3970 would allow "arbitrary read/write from/into SMRAM (System Management Mode hardware protected memory), which can lead to the execution of malicious code," at a highly privileged level.
The other two vulnerabilities (CVE-2021-3971 and CVE-2021-3972) have a lot in common. According to ESET, they are present in the consumer UEFI images by mistake. The access they provide to attackers is only supposed to be available to developers during the manufacturing process.
Thanks to these vulnerabilities, an attacker would be able to directly disable UEFI flash memory protections or the UEFI Secure Boot feature. Furthermore, the attackers would then be able to deploy and successfully execute or implant malware – which is hard to detect and get rid of as it can load ahead of the OS.
We're learning about these vulnerabilities at the same time as Lenovo had begun to release firmware patches for them because ESET has cooperated with Lenovo. ESET discovered the trio of vulnerabilities last October, and Lenovo confirmed the flaws and assigned CVEs in November. Since then, we guess there was quite a lot of work involved in addressing the exploits.
No Patches for Some Older Devices
We previously mentioned that Lenovo has firmware patches available for many of the affected laptop models. However, ESET clarifies that some people with affected laptops won't get patched as the device is too old – they have reached End Of Development Support (EODS).
If you are worried that your Lenovo laptop is affected, you can check the lengthy table found beneath the fold after navigating to the link in the intro paragraph. A list of older devices that are affected but aren't going to get updates will be shared by ESET later (that date is not available at the time of writing).
The last time we wrote about UEFI malware was when the worrying MoonBounce Malware story broke in January this year. Such malware is particularly stealthy and dangerous due to the ability to execute with a privileged user-mode process level during OS runtime.
