IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Millions of Lenovo laptops thought to be vulnerable to newly discovered UEFI malware attacks

ESET researchers said the core vulnerabilities were 'easy' to spot due to "unfortunate" and "honest" driver names

Researchers at cyber security company ESET have discovered three vulnerabilities that affect Lenovo laptops and could lead to the execution of malware through a bypassing of UEFI Secure Boot.

More than 100 different Lenovo laptop models and millions of users are thought to be vulnerable to the UEFI threats, ESET said, and patches aren’t available for all those who may be affected.

A number of the laptops that are vulnerable to the attacks have reached end of life and are not supported with official updates. In these cases, ESET recommends users deploy an anti-malware product that scans for UEFI threats and uses a TPM-aware full-disk encryption product to make the disk inaccessible.

Of the three total vulnerabilities in question, two of them tracked as CVE-2021-3971 and CVE-2021-3972, affect UEFI firmware drivers that were mistakenly left in the final production devices, and their BIOS images, after originally only supposed to be included during the manufacturing process.

Both drivers “immediately” caught the attention of the ESET researchers since they were named SecureBackDoor and SecureBackDoorPeim.

Attackers could use these vulnerabilities to disable flash memory protections and UEFI Secure Boot to deploy UEFI malware on targeted machines, ESET said.

UEFI malware is not a new phenomenon but has seen several high-profile exploits in recent years such as Lojax in 2018, and ESPecter and MoonBounce in 2021. These types of attacks can be difficult to trace since the malware is stored in flash memory, leaving a small footprint.

The exploits are also becoming more advanced with the likes of ESPecter being only the second ever real-world case of a UEFI bootkit persisting on the EFI System Partition. The first example of this is thought to be FinSpy, also discovered in 2021 by Kaspersky.

Lenovo has released a wide range of patches that can be downloaded from its website and advisory page. It lists all affected devices and to what security issues they are vulnerable, though some devices are still awaiting patches for specific CVEs. In these cases, Lenovo has provided an estimated availability date.

The third and final vulnerability tracked as CVE-2021-3970, is a vulnerability in the LenovoVariable SMI Handler - a component responsible for detecting and logging system errors - that could allow an attacker with local access and elevated privileges to execute arbitrary code.

Cyber security experts have responded to the announcement heeding the warnings of ESET and Lenovo, agreeing that the vulnerabilities could be potentially dangerous, though not in the average security team’s threat model.

“These Lenovo UEFI vulnerabilities are not in your average threat model,” said security threat analyst Martijn Grooten. “But if privilege escalation from admin to worse is in your threat model this is kind of bad.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022