Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Two of the security flaw — CVE-2021-3972 and CVE-2021-3971 — exist because drivers that should have been used during the manufacturing process only were mistakenly left in production UEFI firmware, potentially exposing devices to attacks.

According to a Lenovo advisory, exploitation of the driver flaws could allow attackers with elevated privileges to either modify the secure boot settings (CVE-2021-3972) or modify the firmware protection region (CVE-2021-3971).

Lenovo credited researchers at anti-malware firm ESET with reporting the vulnerabilities.

ESET notes that the ability to disabling Secure Boot has a significant impact on system security, as it could allow for malicious drivers and applications to be executed during boot. On the other hand, resetting the firmware to factory settings could allow an attacker to deploy vulnerable UEFI applications to exploit in future attacks.

[ READ: High-Severity UEFI Flaws Patched in Dell Laptops ]

ESET notes that CVE-2021-3971 can be exploited to disable the write-protections mechanisms for the SPI flash, the embedded flash memory chip on which the UEFI firmware usually resides.

This could allow an attacker to deploy malicious code directly to the firmware storage, according to documentation shared by ESET.  

Advertisement. Scroll to continue reading.

Tracked as CVE-2021-3970, the third bug – which exists because of insufficient validation in the SW SMI handler function – could allow a local attacker with elevated privileges to execute arbitrary code.

SW SMI (software System Management Interrupt) is a processor interrupt that needs to be triggered to enter a highly privileged execution mode of x86 processors called System Management Mode (SMM).

“This vulnerability can be exploited from a privileged kernel-mode process by triggering the software SMI interrupt and passing a physical address of a specially crafted buffer as a parameter to the vulnerable SW SMI handler,” ESET added.

The security defects were reported to Lenovo in October 2021. The computer maker has already issued patches for multiple laptop models and targets May 10 for rollout of firmware updates for the remaining products.

Several laptop models that have reached end-of-life (EOL) will remain unpatched, Lenovo said.

Related: Dozens of UEFI Vulnerabilities Impact Millions of Devices

Related: Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant

Related: ESET Discovers UEFI Bootkit in Cyber Espionage Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...