UEFI security bugs in Lenovo’s one hundred different consumer laptop models

Topic

New Reply

[Alex5723]

When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops

ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malware

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime…

List of effected Lenovo notebooks and Firmware updates.

• This topic was modified 1 year, 5 months ago by Alex5723.

Reply | Quote

Replies

This may only be exploitable by a user who has already gained access to your machine.
See Susan’s newsletter: https://www.askwoody.com/2022/from-remote-from-local/

cheers, Paul

Reply | Quote

New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models

Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models.

“The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features,” Slovak cybersecurity firm ESET said in a series of tweets.

Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities that have been described by Lenovo as leading to privilege escalation on affected systems. Martin Smolár from ESET has been credited with reporting the flaws.

This is the second time Lenovo has moved to address UEFI security vulnerabilities since the start of the year. In April, the company resolved three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) — also discovered by Smolár — that could have been abused to deploy and execute firmware implants.

Users of impacted devices are highly recommended to update their firmware to the latest version to mitigate potential threats.

My Lenovo Legion Y530 stopped receiving updates after 2.2021 (2.5 years after purchase).

Reply | Quote