Getty Images
Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that is nearly impossible to remove or, in some cases, undetectable.
Three vulnerabilities affecting more than 1 million laptops could allow hackers to modify a computer’s UEFI. UEFI, short for Unified Extensible Firmware Interface, is a software that connects a computer device’s firmware to its operating system. As the first piece of software that almost any modern machine runs when it is turned on, it is the initial link in the security chain. Because UEFI resides in the flash memory chip on the motherboard, the infection is difficult to detect and even harder to clear.
Oh no
Two of the vulnerabilities, tracked as CVE-2021-3971 and CVE-2021-3972, are in UEFI firmware drivers and are only used during the manufacture of Lenovo consumer laptops. Lenovo engineers inadvertently included the driver in the production BIOS image without properly deactivating it. Hackers can take advantage of these flawed drivers to disable protections, including UEFI Secure Boot, BIOS control register bits, and protected range registers, which are embedded in the Serial Peripheral Interface (SPI) designed to prevent firmware running on it Make unauthorized changes.
After discovering and analyzing the vulnerability, researchers from security firm ESET discovered a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when the machine enters system management mode, a high-privilege mode of operation often used by hardware manufacturers for low-level system management.
advertise
“These are very ‘oh no’ attacks for a sufficiently advanced attacker by description,” Trammel Hudson, a security researcher specializing in firmware hacking, told Ars. “Bypassing SPI flash permissions is terrible.”
He said protections such as BootGuard, which is designed to prevent unauthorized people from running malicious firmware during the boot process, might mitigate the severity. Again, past researchers have found critical vulnerabilities that compromise BootGuard. These include three flaws discovered by Hudson in 2020 that prevent protection from working when a computer comes out of sleep mode.
gradually become mainstream
While still rare, so-called SPI implants are becoming more common. One of the internet’s biggest threats — a piece of malware called Trickbot — started incorporating drivers into its codebase in 2020 that would allow people to write firmware to almost any device. The only two documented cases of malicious UEFI firmware being used in the wild is LoJax, which was written by a Russian state hacking group and goes by several names, including Sednit, Fancy Bear, or APT 28. The second example is UEFI malware, whose security Kaspersky found on the computers of Asian diplomats.
All three Lenovo vulnerabilities discovered by ESET require local access, which means an attacker must already have control of a vulnerable machine with unrestricted privileges. The barrier to entry for such access is high and may require exploiting one or more other critical vulnerabilities elsewhere that already put users at considerable risk.
Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes far beyond what more traditional malware can usually achieve. Lenovo lists over 100 affected models here.
