• UEFI security bugs in Lenovo’s one hundred different consumer laptop models

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » UEFI security bugs in Lenovo’s one hundred different consumer laptop models

    Author
    Topic
    #2440470

    When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops

    ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malware

    ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime…

    List of effected Lenovo notebooks and Firmware updates.

    • This topic was modified 1 month ago by Alex5723.
    Viewing 0 reply threads
    Author
    Replies
    Viewing 0 reply threads
    Reply To: UEFI security bugs in Lenovo’s one hundred different consumer laptop models

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.