Lenovo has released security updates to more than 100 portable models to address critical vulnerabilities that allow advanced hackers to covertly install malicious firmware that may be nearly impossible to remove or in some cases detect.
Three vulnerabilities affecting more than 1 million laptops could allow hackers to modify a computer’s UEFI. Abbreviation for Unified Extensible Firmware Interface, UEFI is the software that connects a computer’s device firmware to its operating system. As the first piece of software to run when virtually any modern machine is turned on, it is the first link in the security chain. Because UEFI resides in a flash chip on the motherboard, infections are hard to detect and even harder to remove.
Two of the vulnerabilities, such as CVE-2021-3971 and CVE-2021-3972, are found in UEFI firmware drivers that are intended for use only during the Lenovo consumer notebook manufacturing process. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly disabled. Hackers can exploit these buggy drivers to disable protection, including UEFI secure boot, BIOS control register bits and protected range registers, which are built into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs.
After detecting and analyzing the vulnerabilities, researchers from the security company ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a highly privileged operating mode typically used by low-level system management hardware manufacturers.
“Based on the description, these are all pretty ‘oh no’ kind of attacks for sufficiently advanced attackers,” told Trammel Hudson, a security researcher specializing in firmware hacking, to Ars. “It’s pretty bad to bypass SPI flash permissions.”
He said the severity can be reduced by protections such as BootGuard, which are designed to prevent unauthorized people from running malicious firmware during the boot process. Then again, researchers in the past have revealed critical vulnerabilities that undermine BootGuard. They include a trio of bugs discovered by Hudson in 2020 that prevented the protection from working when a computer went into hibernation.
Creeps into the mainstream
Although still rare, so-called SPI implants are becoming more common. One of the Internet’s biggest threats – a piece of malware known as Trickbot – began in 2020 to incorporate a driver into its code base that allows people to type firmware into virtually any device. The only two other documented cases of malicious UEFI firmware used in the wild are LoJax, written by the Russian state hacker group known by several names, including Sednit, Fancy Bear or APT 28. The second instance was UEFI malware, ensuring security firm Kaspersky discovered on the computers of diplomats in Asia.
All three Lenovo vulnerabilities detected by ESET require local access, which means the attacker must already have control over the vulnerable machine with unrestricted privileges. The bar for such access is high and is likely to require exploitation of one or more critical other vulnerabilities elsewhere that would already put a user at significant risk.
Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes far beyond what is normally possible with more conventional malware. Lenovo has here a list of more than 100 models affected.