ESET Discovers UEFI Flaws in Popular Lenovo Laptops

Do you own a Lenovo laptop?

According to the most recent batch of vulnerabilities discovered by ESET security experts, you may need to undertake some quick patching.

Today, three vulnerabilities were discovered: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The last two are especially aggravating since they are associated with UEFI firmware drivers used throughout the manufacturing process and may be exploited to bypass SPI flash safeguards or the UEFI Secure Boot feature.

“UEFI assaults may be extremely subtle and damaging,” Martin Smolár, an ESET researcher who discovered the holes, warned. “Because they are executed early in the startup phase before the operating system takes control, they may escape practically all security and mitigation mechanisms higher in the stack that may potentially be installed and potentially impede the execution of their operating system payloads.”

For devices susceptible to CVE-2021-3971 and CVE-2021-3972, Lenovo suggests downloading a firmware upgrade (consumer Lenovo Notebook hardware). Certain modifications, however, will not be available until May.

CVE-2021-3970 is a memory corruption bug found by ESET researchers while studying other vulnerabilities. It might lead to the deployment of an SPI flash insertion.

CVE-2021-3970 is described in Lenovo’s warning as a “possible vulnerability in Lenovo Variable SMI Handler owing to improper validation in select Lenovo Notebook models which may allow an attacker with local access and enhanced privileges to execute arbitrary code.”

Lenovo classified the three as “medium” in severity. ESET observed that an attacker would need administrator credentials to carry out their malicious actions. SPI flash is a type of memory chip that is used to store system firmware software, such as UEFI firmware. It should be safe, but a flaw in the System Management Interrupt (SMI) handler might allow access to the CPU’s extremely privileged System Management Mode (SMM), which has access to typically hardware-protected memory.

“To be effective, all of the real-world UEFI threats found in recent years – LoJax, FinSpy, ESPecter, and MosaicRegressor, MoonBounce– required some sort of security circumvent or debilitation in order to be installed and executed,” Smolár stated. ESET discovered LoJax in 2018 and explained how the UEFI rootkit infiltrated Windows PCs in 2019.

Victims were duped into executing malware that hijacked a vulnerable driver. That was then loaded by the UEFI firmware at startup, and the rootkit was installed. Removing it would necessitate a reflash of the board’s SPI memory. In October of last year, ESET exposed the newest vulnerabilities to Lenovo, and the company believes that the list of vulnerable devices comprises over a hundred models with millions of users worldwide.

According to ESET, Lenovo recognized the vulnerabilities on November 17, 2021, and CVEs were assigned. When updating one’s firmware, it is still suggested to follow Lenovo’s advice. For End Of Development Support (EODS) devices impacted by CVE-2021-3972, ESET advised “using a TPM-aware full-disk encryption solution capable of rendering disc data inaccessible if the UEFI Secure Boot configuration changes.”

ESET just uploaded a new video to their YouTube channel called ESET’s WLS Special, which explains how these vulnerabilities affect your Lenovo laptop.


Popular Hacking Forum Raidforums Seized By The FBI