From remote? From local?

Topic

New Reply

Alex posted earlier about UEFI vulnerabilities in certain models of consumer Lenovo laptops. The official notice is here at the Lenovo site. I try to
[See the full post at: From remote? From local?]

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

What is most troubling is that these are Lenovo consumer laptops, and consumers are generally not astute enough to realize that they need to update the BIOSes of their systems.  The best solution here would be for Lenovo to collaborate closely with Microsoft to assure that the BIOS update comes in as part of the regular Windows update process.  I say that with trepidation, given that Microsoft does not have a spotless record for its updates.

ESET explains in great detail how these exploits work, but fortunately does not go the next and most dangerous step of showing how to compromise a Lenovo consumer system, i.e. how you are I might write software to do it, if we were smart enough about UEFI.  In other words, can a badly formed PDF or email cause this mischief?

 

 

Reply | Quote

Ben and Susan:

Agree on how confusing this would be/is to consumers.

I think of myself of having a more than basic understanding of updating drivers, but looking my options are confusing.  First, the bios is an easy fix using a downloadable executable file.  But understanding the update info for the “Intel Management Engine Firmware” is beyond my abilities (and Lenovo makes it extra confusing).  Plus Lenovo actually says:  No longer supported.  Huh?

Really:  Do I update both the Bios and Intel Management Engine Firmware or just bios?

Link:

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/legion-series/legion-7-16ithg6/downloads/driver-list/component?name=BIOS%2FUEFI

Note to moderators:  If this should be a new topic, please move it for me.

Thanks,

Mike

Reply | Quote

Mike wrote:

…  Do I update both the Bios and Intel Management Engine Firmware or just bios?…

Hi Mike:

Your link in your post # 2440671 suggests you have a Lenovo Legion 7-16ITHg6 laptop. If that is correct, what is your Windows operating system and current BIOS version? If you aren’t sure what BIOS version you have open a Run dialog box (Windows key + R), enter msinfo32 to open your System Information panel (or just search from your taskbar for “System Information”) and look for the “BIOS Version/Date” field.

The table at the bottom of the Lenovo Security Advisory LEN-73440 (Lenovo Notebook BIOS Vulnerabilities) states that users should “Update system firmware to the version (or newer) indicated for your model in the Product Impact section” and the table at the bottom of that security advisory shows that all three vulnerabilities (CVE-2021-3970, CVE-2021-3971 and CVE-2021-3972) are patched by BIOS firmware version H1CN46WW or newer for the Legion 7-16ITHg6.

If you click the link for the Legion 7-16ITHg6 in that table it takes you to Drivers & Software page <here> for that specific model. Filtering for BIOS/UEFI components (2 downloads available) shows that the recommended BIOS firmware is version H1CN47WW (rel. 08-Apr-2022). I don’t own a Lenovo laptop, but I assume that means if you have either the previous BIOS version H1CN46WW or current BIOS version H1CN47WW that you are already patched against these vulnerabilities.

If you have the recommended BIOS version H1CN47WW (rel. 08-Apr-2022) then it would make sense to update to the recommended Intel Management Engine Firmware version H1ME46WW (rel. 08-Apr-2022) as well to keep pace with your BIOS version, but in this case I don’t think that the recommended Intel Management Engine Firmware update is actually required for  patching CVE-2021-3970, CVE-2021-3971 and CVE-2021-3972.
——–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1645 * Firefox v99.0.1 * Microsoft Defender v4.18.2203.5-1.1.19100.5 * Malwarebytes Premium v4.5.8.191-1.0.1666

Reply | Quote

Definitely need to do an article on this.  Hang loose.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

The txt file for the Lenovo bios update indicates some additional features.  I think.

Summary of changes
==================
General Information:

H1CN47WW :
BIOS Notification :
1. Fixed
1) None.
2. Add
1) Add 95W PD enhancement feature.
3. Modified
1) Fine tune silent installation feature.;
2) Fine tune custom mode feature.;
3) Enhance the security architecture for system.
4) Enable Instant boot;

EC Notification :
1. Fixed
1) None
2. Add
1) None
3. Modified
1) Optimize PD enhancement setting
2) Modify to support 135W typeC adater.

 

Mike

Reply | Quote

Mike wrote:

Do I update both the Bios and Intel Management Engine Firmware or just bios?

Yes. Update both.

If your laptop has a BIOS export you should create a backup file just to be able to restore in case something go wrong.
Don’t use Lenovo Vantage for updates. Download and install manually.

Reply | Quote

Alex.

Not to get too off topic, but the information and notes for the Lenovo Intel Management firmware update are confusing.  First it says not to update if there are no current problems and second: it’s EOL and not supported anymore.  Refer to the above txt file and link and then view the notes for the file.

Mike

Reply | Quote

BIOS “talks” to Intel Firmware.
Both has been updated on the same date and both should be installed.
EOL means no future updates for your PC for this Firmware.

Reply | Quote

Thanks Alex.  The EOL (actually end of development) software note still doesn’t make a bit of sense since the machine is 6 months new.  I think it’s a typo.  And….it does say in the installation txt file that you don’t need to patch the IME unless you are experiencing issues.   Anyway, unless Susan comes up with something else related to these Lenovo targeted machines, I’ll patch both shortly.

Mike

 

Reply | Quote

Worst case if you have undetected malware on your system running with elevated privileges, and the c2c server scopes your platform is vulnerable to the full exploit and instructs the local malware to update to exploit CVE-2021-3971, which enables it to write a downloaded exploit image to the area occupied by the Lenovo software instigated at UEFI boot via the platform binary table.

Of course secure boot should stop the boot there as the software “in chip” then won’t match the details in the (still “signed and sealed”) platform binary table, which means CVE-2021-3972 needs to be exploited to remove that protection so you don’t know what’s happening until the firmware embedded malware (ransomware, for example) has done its work… and yes, at that point backups and reinstalling could be useless as Windows setup always does what the PBT indicates unless you really fancy your chances finding boot time drivers and dropping out of UEFI, secure boot etc. and hoping the backups aren’t garbage.. I did that once to clear some sort of persistent firmware issue. The results were poor to say the least.

The ransomware example would actually have to do little other than alter the firmware code handling the hardware encryption so the recovery key Windows presents isn’t the one in use – as you would then have no access to a clean boot (as the firmware is exploited) and no ability to mount the drive in another system to retrieve anything or characterise the problem as you won’t have a working recovery key.. and the policy to bitlocker encrypt can’t be turned off without altering the firmware settings affecting platform security already affected by the exploit.

Potentially CVE-2021-3970 might enable code to get to cloud backups / credentials. It shouldn’t, but the absence of specific info either location you might expect it indicates the situation is probably still evolving.. so maybe don’t take the “local” too seriously until something is in writing..

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3970

https://nvd.nist.gov/vuln/detail/CVE-2021-3970

And guard your last backup should you encounter boot time error 0183. Had that with a machine I saw suspected to be affected by a previous firmware exploit. We tried every reset plausible and even reimaged the drive in a working machine to no avail – it had to be replaced as it was a little outside Lenovo warranty. They’ve also done away (a couple years ago?) with their parts department so any comments on the new company covering those…

2 users thanked author for this post.

oldfry, Alex5723

Reply | Quote

I think that this is OK to post here:

Macs get both their OS and firmware updates together, so installing one automatically installs the other when they are both available and the firmware one is necessary. It does the latter without saying so. It is certainly very convenient, although, occasionally, this is not such a good thing:

https://arstechnica.com/gadgets/2021/11/why-macos-updates-might-brick-your-mac-and-what-you-can-do-about-it/

Excerpt:

“When Apple releases new macOS updates, you aren’t just getting updates to the operating system. Since 2015 or so, Apple has also distributed most firmware updates as part of the operating system rather than doing it separately (this also includes updates to the “bridgeOS” software that runs on Apple T1 and T2 Macs). For PC owners, imagine if installing new Windows versions or Patch Tuesday security updates also updated your BIOS or graphics firmware, and that there was no way to get one without getting the other.

This saves steps for end users, who get the benefits of firmware-level security and feature patches just by keeping their software up to date. Apple’s firmware patches contain mitigation for hardware-level vulnerabilities like Spectre, Meltdown, and their ilk, and Apple also issued updated firmware with macOS High Sierra to add APFS boot support to older Macs.

But bundling in firmware updates also adds complexity. If your Mac is unplugged or runs out of battery during a firmware update, that might render it unable to boot and unable to be revived through the typical methods. And because they are more intensive and take longer than a typical software update, both firmware updates and major OS updates can occasionally unearth underlying hardware issues with RAM, storage, or other components.“

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Lenovo laptops aren’t Mac computers.  In the future can we stick to the topic at hand and the platform we are discussing please?  Thank you for understanding and for keeping on topic.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

PKCano, John782

Reply | Quote

Sorry about that. I came to this thread because I got an email from AskWoody saying that “you are getting this email because you are subscribing to a forum” that looked like an invitation to participate. I wasn’t quite sure about that looking at what people were posting here, as it was about a particular brand of computer, but did not say anywhere the thread was only about this brand and its problems. So, seeing no harm in it, I went ahead and  commented on something about firmware updating I happen to know about.

So: a misunderstanding.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

You must have subscribed to the main blog feed. My recommendation is to read the originating blog post so we can stay on topic.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

wavy, John782, PKCano

Reply | Quote

Susan Bradley wrote:

Lenovo laptops aren’t Mac computers.  In the future can we stick to the topic at hand and the platform we are discussing please?  Thank you for understanding and for keeping on topic.

Thanks Susan. I have a 2020 Yoga C740-14IML laptop, which is on the list and I could care less what Apple does or doesn’t do with their Mac computers.

1 user thanked author for this post.

PKCano

Reply | Quote

Alex5723 wrote:

Don’t use Lenovo Vantage for updates

Hi Alex ! Can you expand a little more on this?  Lenovo Vantage says I’m up to date, and the last Bios Update was installed on 10/5/2021. I’m not sure on the Intel Update? I guess I could download it manually and if it was already on my laptop, it would give notification that it was already installed? I thought Lenovo Vantage supposedly took care of everything. I’m glad you posted this. Thanks, John

Reply | Quote

Rule of thumb : never ever let automatic updates on any device : Firmware, drivers, software (exception security and browsers apps) ….

Lenovo Vantage isn’t always up to date with updates.
You should check periodically Lenovo’s support web page and subscribe to Lenovo forum for your device: https://forums.lenovo.com/t5/English-Community/ct-p/Community-EN

Always download and install Firmware manually after reading release notes.
Always download and install drivers directly from OEMs
Block drivers installation in Windows Update.

I don’t have Lenovo Vantage installed on my Lenovo Y530 laptop.

1 user thanked author for this post.

John782

Reply | Quote

Hi!

Lenovo Vantage is purposely delayed while the update team monitors the early deployment of updates. Updates are first published on the support website, then to Vantage database about two weeks later if everything looks fine. The idea is to only install good updates automatically.

Martin

2 users thanked author for this post.

ChrisAVWood, John782

Reply | Quote

Susan Bradley wrote:

Hang loose

What does that mean?
Besides the hand-signal I answered here, and that was wiped out.

* _ the metaverse is poisonous _ *

Reply | Quote

https://tinyurl.com/y2xzln6o

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

thank you “b” , this is some kind of an understandable idiom
for me using the French or German language is a bit easier, but not allowed under penalty of being deleted here

* _ the metaverse is poisonous _ *

Reply | Quote

Hang loose means I’m going to do more research and write up a more detailed article.  If an attach is “from local” meaning the attacker has to have physical access to my computer I discount that style of attack for consumer devices. If an attack would showcase some sort of physical evidence of tampering – a boot message  = something that would make the normal person go “what’s wrong with my machine?” I also discount that as a normal computer user would stop and ask.

In this specific case – hang loose means don’t panic – I want to do more research.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you.
To me, this is a kind of incomprehensible use of a local and undefined use of words.
The use of the French or German language to express some feelings seems much easier, but not allowed here on pain of removal.

* _ the metaverse is poisonous _ *

Reply | Quote

What we know so far:

If an attack on a Lenovo laptop with the vulnerable BIOS versions were to succeed, malware implanted on the firmware’s SPI Flash would be persistent between re-installs of the OS.

The attack is technically difficult, requires local admin permissions to succeed, and *might* require physical access (but this last is possibly disputed.)

Normal AV products cannot detect an infection that resides in the firmware (SPI Flash.)

Disinfection of a compromised system would involve resetting and rewriting the BIOS and SPI Flash tables.

No known in-the-wild examples at this time.  Suspicion that this might be used for high value targets in the future.

Mitigation:

For most users, the Lenovo Vantage update tool is the safest and easiest recommended method to obtain the updates.  Close all other applications, run the tool (from the Microsoft Store if it’s been removed).  Let it install the system components, run the scan, install updates.  Reboot.  Run a scan for updates (and install) a second time to be sure.

The Vantage tool has begun aggressive advertising for “fluffy” Lenovo services, but they are easy to ignore and may be safely disregarded.  ONLY use the Drivers Update feature.  Once you have updated your Lenovo system (BIOS and drivers), feel free to UN-install the tool and stop the fluff notifications.

~ Group "Weekend" ~

Reply | Quote

I just wanted to add that there is a version called Lenovo Commercial Vantage for Lenovo business computers without the “fluff”. It is also manageable from Group Policy. Use it if your machine is supported!

Martin

1 user thanked author for this post.

NetDef

Reply | Quote

Netdef
Thanks for this excellent summary of the issue.
Question does this include the, what appears to be optional, Intel Management Engine?  Which is paired with the BIOS update in the manual download section.  Refer to this post, links and images https://www.askwoody.com/forums/topic/from-remote-from-local/#post-2440671

 

Reply | Quote

I can’t answer specifically to your need for an updated IME.

More generally – If the Vantage update tool shows an update for that component, my advice is thus:

If the update is listed under “Critical” I would install it.

If it’s listed under “Optional” I would defer the update unless I am having issues that I know are related to that component.

As far as I can tell, the needed critical Lenovo BIOS update is independent from other updates that Vantage lists as optional.

~ Group "Weekend" ~

Reply | Quote

Realistically, given the footprint of Lenovo in SME environments and the ease with which it’s likely to be able to footprint a Lenovo device as its likely to have the LSE/LSB component present in the OS which is plausibly providing some information on the device (if you can interrogate it) even if WMIC is depreciated so Windows can’t be easily interrogated (and Lenovo somehow skipped revealing their ID, serial in the MAC address)..

Basically it’s a matter of time before someone decides if a rejig of the moonbounce malware would be useful for a bit of extortion of some company or other (so they might not, we might get lucky..) – I would expect they at least need to get inside the network first and “own” a suitable system in the organisation to leverage it.

The fuzzyness in the term local is inherent – it can be read as “on the same network”, “running on the machine itself” or even “sitting at the keyboard pressing buttons” .

That is I believe what they mean in this context.. and as long as the office is well secured then that doesn’t always need to concern you unless someone in the office has ideas, builds a PE Windows boot and uses code in it to insert the relevant changes into the firmware and its settings as you have not turned off the (usually F12) boot menu key or haven’t set a password on the BIOS setup. So basically, we’re talking a combination of espionage involving a lot of technical knowhow, and insufficient security for the “local” to be an issue.

Home users probably have a lot less to worry about.

 

1 user thanked author for this post.

NetDef

Reply | Quote

oldguy wrote:

Home users probably have a lot less to worry about.

This is my current position on this particular topic as well.

~ Group "Weekend" ~

Reply | Quote

Another not to get too worked up about.. seems ThinkPad X1 Fold Gen 1 (Types: 20RK, 20LK) only.. and local access..

https://nvd.nist.gov/vuln/detail/CVE-2022-1107

https://support.lenovo.com/gb/en/product_security/len-84943

 

Reply | Quote

This one isn’t remote or local, it’s both..

https://support.lenovo.com/gb/en/product_security/len-72615

Guessing nobody’s that interested?

 

Reply | Quote