Heimdal
article featured image

Contents:

Researchers have recently identified three Lenovo UEFI firmware vulnerabilities of high impact located in various Lenovo laptop models that consumers use. By successfully exploiting these flaws, threat actors can deploy and execute firmware implants on the impacted devices.

More Details on the Lenovo UEFI Firmware Vulnerabilities

According to ESET researcher Martin Smolár’s report, the following CVEs were assigned to these flaws:

  • CVE-2021-3970
  • CVE-2021-3971
  • CVE-2021-3972

with the last two having an impact on firmware drivers initially designed for the sole use “during the production process of Lenovo consumer notebooks.”

What can hackers do if abusing the Lenovo UEFI Firmware vulnerabilities successfully is that they may be able to disable SPI flash safeguards or Secure Boot, effectively allowing them to install persistent malware that can continue to live despite a system reboot.

The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.

Source

What happens with the first-mentioned vulnerability, dubbed CVE-2021-3970, on the other hand, is a case of memory corruption in the firm’s System Management Mode (SMM), which allows malicious code to run with the highest privileges.

Lenovo Issued Patches for the Three Vulnerabilities

The PC manufacturer was notified about the three Lenovo UEFI firmware vulnerabilities on October 11, 2021, and patches were released on April 12, 2022. Lenovo described the potential impact of the three flaws as privilege escalation and defined them as follows:

CVE-2021-3970 is caused by an insufficient validation in the LenovoVariable SMI Handler in some Lenovo Notebook models that could let a hacker with local access and elevated privileges perform arbitrary code execution.

CVE-2021-3971 stands for a potential vulnerability in a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that were accidentally included in the BIOS image. This could permit a threat actor who possesses elevated privileges to modify the firmware protection region by changing an NVRAM variable.

CVE-2021-3972 represents a potential flaw by a driver used during the manufacturing process on some consumer Lenovo Notebook devices that were accidentally left turned on. This may allow a hacker with elevated privileges to perform modifications of the secure boot setting by changing an NVRAM variable.

Which Lenovo Devices Are Impacted by These Flaws?

  • Lenovo Flex
  • IdeaPads
  • Legion, V14, V15, and V17 series
  • Yoga laptops

According to thehackersnews.com, the identification of these vulnerabilities come on the heels of the discovery of up to 50 UEFI firmware flaws in Insyde Software’s InsydeH2O, HP, and Dell since the beginning of the year.

How Can Heimdal™ Help?

Avoid potential privilege escalation risks with an automated Privileged Access Management tool that protects your privileged access and automatically deescalates privileges on threat detection paired with a Patch & Asset Management tool that makes patches available to be deployed in less than 4 hours from the release and keeps your software updated at all times.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE