Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Lenovo has issued a security advisory related to three security vulnerabilities found on several laptops. The flaws affect over 100 Lenovo laptop models, across the company's IdeaPad, Legion, and Yoga portfolios. Using the vulnerabilities, an attacker might be able to disable the Unified Extensible Firmware Interface (UEFI) Secure Boot feature and execute arbitrary code on the laptop. The manufacturer has advised users with affected laptop models to update to the latest firmware for these devices from the official website, in order to stay protected.

Three vulnerabilities were discovered by ESET researchers and affect the UEFI Secure Boot feature, which is designed to verify and load trusted code when the laptop is booted. They were responsibly disclosed by the researchers to Lenovo in October 2021. The vulnerabilities were confirmed by the company in November and were assigned three CVEs (Common Vulnerabilities and Exposures) — CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, and a security advisory was published by the manufacturer on Monday.

According to ESET, which has published a detailed technical analysis of the security flaws, two of the vulnerabilities — CVE-2021-3971 (SecureBackDoor), and CVE-2021-3972 (ChgBootDxeHook), were introduced by the company after two UEFI firmware drivers were accidentally included in the firmware. These drivers are only used when manufacturing the laptop and can be exploited by attackers to turn off the UEFI Secure Boot feature and disable protection for the flash memory chip which stores the UEFI firmware. Security software and other solutions on the operating system will be unable to detect these threats as they execute early in the boot process — before the operating system is loaded.

In order to bypass all the security features offered by Secure Boot, UEFI threats like the ones discovered by ESET, disable the secure mechanisms designed to load trusted code. According to the researchers, all the UEFI threats discovered in the wild including LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy were able to bypass these mechanisms to execute their malicious code. Similar security flaws were also discovered in HP firmware, published by SentinelOne last month.

The researchers also found a third security flaw — or CVE-2021-3970 (LenovoVariableSmm), which could lead to arbitrary code execution in system management RAM (or SMRAM), with elevated privileges. In some cases, it can be used to activate the ChgBootDxeHook driver in order to disable UEFI Secure Boot feature, according to the researchers at ESET. All three security vulnerabilities discovered require the attacker to have local access to the device, but it is worth noting that Lenovo has assigned the flaws a “Medium” severity level in its advisory.

Over 100 consumer laptop models used by millions of users are affected by the security flaws, according to the researchers. Users who own devices that have active development support can download the latest firmware update for their laptop from Lenovo's Advisory website. However, several other affected devices won't be fixed as they have reached End of Development Support (EODS). However, these users can use a TPM-aware full-disk encryption to make disk data inaccessible if the UEFI Secure Boot configuration has been modified, according to the ESET researchers.