Some Lenovo laptops may be carrying a serious security flaw

(Image credit: Lenovo)

Cybersecurity experts from ESET have found three security flaws in hundreds of different Lenovo laptop models which could put millions of users at risk.

ESET said exploiting these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter.

In total, three vulnerabilities have been discovered, which are now tracked as CVE-2021-3970, CVE-2021-3971 (also known as SecureBackDoor and SecureBackDoorPreim), and CVE-3972 (SMM memory corruption inside the SW SMI handler function).

Bypassing security measures

The first two can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime. The third, ESET explains, can allow an attacker to execute malicious code with SMM privileges, potentially leading to the deployment of an SPI flash implant.

What makes them extremely dangerous, says ESET researcher Martin Smolár, is that they allow for the exploitation of UEFI threats that are executed early in the boot process, before transferring control to the operating system.

That means they can bypass “almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” he said.

> Billions of Windows and Linux devices at risk of hijacking

> This bootkit has been used to backdoor Windows devices for almost a decade

> Intel, Lenovo and more hit by major BIOS security flaws

This is not the first UEFI threat that’s been discovered. All of them, however (including LoJax, MosaicRegressor, MoonBounce, ESPecter, or FinSpy) need to bypass or disable the device’s security mechanisms in order to work.

The UEFI boot and runtime services are essential for the operation of any endpoint, as drivers and applications need them to properly run.

ESET’s researchers are “strongly” advising all Lenovo laptop owners to go through the list of affected devices found here, and update the firmware as per the manufacturer’s instructions.

Owners whose devices reached end-of-life can use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes, ESET concluded.

No security stack is complete without a great firewall

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.