ESET uncovers vulnerabilities in Lenovo laptops

Firmware updates incoming in response to UEFI threats

Updated Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET.

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature.

"UEFI threats can be extremely stealthy and dangerous," said ESET researcher Martin Smolár, who discovered the vulnerabilities. "They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed."

For the devices affected by CVE-2021-3971 and CVE-2021-3972 (consumer Lenovo Notebook hardware, by the look of things), Lenovo's advice is to grab an update for the firmware. Some updates, however, will not be available until May.

CVE-2021-3970, which ESET researchers uncovered while digging into the other vulnerabilities, is a memory corruption issue, which could lead to deployment of an SPI flash implant.

Lenovo's advisory describes CVE-2021-3970 as a "potential vulnerability in Lenovo Variable SMI Handler due to insufficient validation in some Lenovo Notebook models [that] may allow an attacker with local access and elevated privileges to execute arbitrary code."

Lenovo deemed the trio to be of "medium" severity. ESET noted that an attacker would require administrative privileges carry out their misdeeds.

SPI flash is a memory chip used for platform firmware code, such as UEFI firmware. It should be protected, but the vulnerability in the System Management Interrupt (SMI) handler could mean access to the highly privileged System Management Mode (SMM) of the processor, which has access to normally hardware-protected memory.

"All of the real-world UEFI threats discovered in the last few years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed," said Smolár.

ESET flagged up LoJax in 2018, and detailed how the UEFI rootkit slithered onto Windows PCs in 2019. Victims were tricked into running some code that hijacked a vulnerable driver. That in turn was loaded by the UEFI firmware during startup and, hey presto, the rootkit was installed. Getting rid of it would require a reflash of the board's SPI memory.

ESET reported the latest vulnerabilities to Lenovo in October last year, and says the list of affected devices numbers more than a hundred models with millions of users worldwide. According to ESET, Lenovo confirmed the vulnerabilities on November 17 2021, and the CVEs were assigned.

The recommendation remains to follow Lenovo's instructions with regard to updating one's firmware. For End Of Development Support (EODS) devices affected by the CVE-2021-3972, ESET suggested "using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes."

The Register contacted Lenovo for comment beyond its advisory, but the company has yet to respond. ®

Updated at 1914 BST on 19 April 2022 to add

Lenovo sent us a statement following publication of this article:

Lenovo thanks ESET for bringing to our attention an issue in drivers used in the manufacturing of some consumer notebooks. The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected. Lenovo welcomes collaboration with BIOS researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards.

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022