Researchers at cyber security company ESET have discovered three vulnerabilities that affect Lenovo laptops and could lead to the execution of malware through a bypassing of UEFI Secure Boot.
More than 100 different Lenovo laptop models and millions of users are thought to be vulnerable to the UEFI threats, ESET said, and patches aren’t available for all those who may be affected.
A number of the laptops that are vulnerable to the attacks have reached end of life and are not supported with official updates. In these cases, ESET recommends users deploy an anti-malware product that scans for UEFI threats and uses a TPM-aware full-disk encryption product to make the disk inaccessible.
Of the three total vulnerabilities in question, two of them tracked as CVE-2021-3971 and CVE-2021-3972, affect UEFI firmware drivers that were mistakenly left in the final production devices, and their BIOS images, after originally only supposed to be included during the manufacturing process.
Both drivers “immediately” caught the attention of the ESET researchers since they were named SecureBackDoor and SecureBackDoorPeim.
Attackers could use these vulnerabilities to disable flash memory protections and UEFI Secure Boot to deploy UEFI malware on targeted machines, ESET said.
UEFI malware is not a new phenomenon but has seen several high-profile exploits in recent years such as Lojax in 2018, and ESPecter and MoonBounce in 2021. These types of attacks can be difficult to trace since the malware is stored in flash memory, leaving a small footprint.
The exploits are also becoming more advanced with the likes of ESPecter being only the second ever real-world case of a UEFI bootkit persisting on the EFI System Partition. The first example of this is thought to be FinSpy, also discovered in 2021 by Kaspersky.
Lenovo has released a wide range of patches that can be downloaded from its website and advisory page. It lists all affected devices and to what security issues they are vulnerable, though some devices are still awaiting patches for specific CVEs. In these cases, Lenovo has provided an estimated availability date.
The third and final vulnerability tracked as CVE-2021-3970, is a vulnerability in the LenovoVariable SMI Handler - a component responsible for detecting and logging system errors - that could allow an attacker with local access and elevated privileges to execute arbitrary code.
Cyber security experts have responded to the announcement heeding the warnings of ESET and Lenovo, agreeing that the vulnerabilities could be potentially dangerous, though not in the average security team’s threat model.
“These Lenovo UEFI vulnerabilities are not in your average threat model,” said security threat analyst Martijn Grooten. “But if privilege escalation from admin to worse is in your threat model this is kind of bad.”
