According to Slovakia-based cybersecurity firm ESET, two of
the discovered firmware bugs affect UEFI firmware drivers originally designed
to only be used during the manufacturing process of the impacted Lenovo
consumer notebooks, but they were mistakenly included in the production BIOS
images withought being deactivated.
Attackers can activate the firmware drivers to directly
disable SPI Flash protections or the UEFI Secure Boot feature from a privileged
user-mode process during OS runtime, meaning that exploitation of the bugs
would allow attackers to “ deploy and successfully execute SPI flash or ESP
implants, like LoJax or our latest UEFI malware discovery ESPecter, on the
affected devices,” according to an ESET advisory.
ESET discovered one bug, CVE‑2021-3971, due to the firmware
drivers’ names: SecureBackDoor and SecureBackDoorPeim. While investigating
those drivers, researchers discovered other drivers sharing common
characteristics with the SecureBackDoor drivers: ChgBootDxeHook and ChgBootSmm.
“As it turned out, their functionality was even more
interesting and could be abused to disable UEFI Secure Boot (CVE-2021-3972),”
ESET researchers write.
While investigating those drivers, ESET discovered a third
vulnerability: SMM memory corruption inside the SW SMI handler function
(CVE-2021-3970). This allows arbitrary read/write from/into SMRAM, leading to
the ability to execute malicious code with SMM privileges and the deployment of
an SPI flash implant.
Lenovo currently has 114 laptops listed as impacted by these
firmware bugs, including popular models such as the Ideapad-3, Legion 5
Pro-16ACH6 H and Yoga Slim 9-14ITL05. The company has released firmware updates
that fix these issues which can be downloaded from the company’s supportwebsite.
Lenovo describes the vulnerabilities as such:
- CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
- CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
Other devices ESET reported to Lenovo as impacted by the
bugs won’t be patched due to them being out of support, including the Ideapad
330-15IGM and Ideapad 110-15IGR.
For those users, ESET suggests using a TPM-aware full-disk
encryption solution that can make disk data inaccessible if the UEFI Secure
Boot configuration changes.
0 comments:
Post a Comment