Researchers Discover ‘Stealthy’ Lenovo Firmware Vulnerability that Affects Millions of Laptops

Security researchers have discovered three Unified Extensible Firmware Interface vulnerabilities impacting more than 100 different models of Lenovo consumer laptops that could allow attackers to deploy and execute malware.

According to Slovakia-based cybersecurity firm ESET, two of the discovered firmware bugs affect UEFI firmware drivers originally designed to only be used during the manufacturing process of the impacted Lenovo consumer notebooks, but they were mistakenly included in the production BIOS images withought being deactivated.

Attackers can activate the firmware drivers to directly disable SPI Flash protections or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime, meaning that exploitation of the bugs would allow attackers to “ deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices,” according to an ESET advisory.

ESET discovered one bug, CVE‑2021-3971, due to the firmware drivers’ names: SecureBackDoor and SecureBackDoorPeim. While investigating those drivers, researchers discovered other drivers sharing common characteristics with the SecureBackDoor drivers: ChgBootDxeHook and ChgBootSmm.

“As it turned out, their functionality was even more interesting and could be abused to disable UEFI Secure Boot (CVE-2021-3972),” ESET researchers write.

While investigating those drivers, ESET discovered a third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3970). This allows arbitrary read/write from/into SMRAM, leading to the ability to execute malicious code with SMM privileges and the deployment of an SPI flash implant.

Lenovo currently has 114 laptops listed as impacted by these firmware bugs, including popular models such as the Ideapad-3, Legion 5 Pro-16ACH6 H and Yoga Slim 9-14ITL05. The company has released firmware updates that fix these issues which can be downloaded from the company’s supportwebsite.

Lenovo describes the vulnerabilities as such:

• CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
• CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
• CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Other devices ESET reported to Lenovo as impacted by the bugs won’t be patched due to them being out of support, including the Ideapad 330-15IGM and Ideapad 110-15IGR.

For those users, ESET suggests using a TPM-aware full-disk encryption solution that can make disk data inaccessible if the UEFI Secure Boot configuration changes.

April 20, 2022