Millions of Laptops Impacted by Lenovo UEFI Firmware Vulnerabilities
If Abused, Hackers Could Deploy and Run Firmware Implants.
Researchers have recently identified three Lenovo UEFI firmware vulnerabilities of high impact located in various Lenovo laptop models that consumers use. By successfully exploiting these flaws, threat actors can deploy and execute firmware implants on the impacted devices.
More Details on the Lenovo UEFI Firmware Vulnerabilities
According to ESET researcher Martin Smolár’s report, the following CVEs were assigned to these flaws:
with the last two having an impact on firmware drivers initially designed for the sole use “during the production process of Lenovo consumer notebooks.”
What can hackers do if abusing the Lenovo UEFI Firmware vulnerabilities successfully is that they may be able to disable SPI flash safeguards or Secure Boot, effectively allowing them to install persistent malware that can continue to live despite a system reboot.
The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.
What happens with the first-mentioned vulnerability, dubbed CVE-2021-3970, on the other hand, is a case of memory corruption in the firm’s System Management Mode (SMM), which allows malicious code to run with the highest privileges.
Lenovo Issued Patches for the Three Vulnerabilities
The PC manufacturer was notified about the three Lenovo UEFI firmware vulnerabilities on October 11, 2021, and patches were released on April 12, 2022. Lenovo described the potential impact of the three flaws as privilege escalation and defined them as follows:
CVE-2021-3970 is caused by an insufficient validation in the LenovoVariable SMI Handler in some Lenovo Notebook models that could let a hacker with local access and elevated privileges perform arbitrary code execution.
CVE-2021-3971 stands for a potential vulnerability in a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that were accidentally included in the BIOS image. This could permit a threat actor who possesses elevated privileges to modify the firmware protection region by changing an NVRAM variable.
CVE-2021-3972 represents a potential flaw by a driver used during the manufacturing process on some consumer Lenovo Notebook devices that were accidentally left turned on. This may allow a hacker with elevated privileges to perform modifications of the secure boot setting by changing an NVRAM variable.
Which Lenovo Devices Are Impacted by These Flaws?
- Lenovo Flex
- Legion, V14, V15, and V17 series
- Yoga laptops
According to thehackersnews.com, the identification of these vulnerabilities come on the heels of the discovery of up to 50 UEFI firmware flaws in Insyde Software’s InsydeH2O, HP, and Dell since the beginning of the year.
How Can Heimdal™ Help?
Avoid potential privilege escalation risks with an automated Privileged Access Management tool that protects your privileged access and automatically deescalates privileges on threat detection paired with a Patch & Asset Management tool that makes patches available to be deployed in less than 4 hours from the release and keeps your software updated at all times.