Millions of Laptop Computers Affected by Lenovo UEFI Firmware Flaws
Table of Contents
- By Steven
- Published: Apr 20, 2022
- Last Updated: Apr 20, 2022
Vulnerabilities in Unified Extensible Firmware Interface (UEFI) firmware have put Lenovo laptop computers at risk. A total of three UEFI security flaws have been identified in Lenovo laptops sold to consumers.
Why Are the Firmware Flaws a Problem?
The security flaws empower harmful actors to implement and activate firmware implants in targeted devices. The firmware flaws have the identifiers of CVE-2021-3972, CVE-2021-3972, and CVE-2021-3970. Two of the firmware flaws compromise firmware drivers intended to be used during the Lenovo laptops’ manufacturing processes. The details about the firmware vulnerabilities were provided by Martin Smolar, a digital security specialist with the ESET. Smolar’s report pertaining to the Lenovo firmware flaws was released earlier this week.
According to Smolar, the firmware drivers in question were errantly included within production BIOS images and not deactivated as they should have been. If the digital security flaws are successfully exploited, they could potentially allow a digital miscreant to disable the Secure Boot function and/or protections for SPI flash, providing the hacker with the power to add lasting malware that sticks even amidst system reboots.
UEFI threats are problematic as they are executed during the booting of the computer prior to transferring control to the computer’s underlying operating system. In other words, UEFI threats can metaphorically sidestep digital security protections that are meant to halt OS payload execution.
Are There any Differences Between the Firmware Flaws?
Yes. The CVE-2021-3970 firmware flaw is different from the other two vulnerabilities as it pertains to an instance of memory corruption within the firm’s SMM, short for System Management Mode, spurring the transmission of harmful code with elevated privileges.
Lenovo’s security team has provided additional details about each of the three firmware flaws. Lenovo’s team describes CVE-2021-3970 as a weakness within the Variable SMI Handler resulting from the lack of validation within Lenovo Notebooks that might empower digital hackers to execute an arbitrary code through their local access and heightened privileges.
The Lenovo security team also provided details about CVE-2021-3972, stating it is a vulnerability exploited with the use of a driver in the manufacturing process of specific laptops. This flaw was not properly deactivated, setting the stage for a digital criminal with heightened privileges to alter the secure boot by changing the variable referred to as NVRAM.
Lenovo’s digital security specialists also expounded on CVE-2021-3971, stating it is a driver flaw in comparable older manufacturing processes on Lenovo laptops that errantly contained the BIOS image, permitting hackers with the proper privileges to alter the region of firmware protection by way of the aforementioned NVRAM.
When Were the Firmware Flaws Identified?
The three firmware vulnerabilities were initially publicized in mid-October of 2021.
How Did Lenovo Respond to the Reported Firmware Vulnerabilities?
Lenovo’s security specialists responded to the reported firmware flaws by issuing patches in the second week of April 2022. In other words, it took Lenovo more than six months to provide the proper patching necessary to overcome the security flaws.
Which Specific Laptops are Affected?
The affected Lenovo laptop models include Yoga, V17, V15, V14, Legion, IdeaPads, and Lenovo Flex. However, those who use other laptops made by Dell, HP, Insyde, UEFI, and INsydeH2O should also be aware that those computer specialists also revealed firmware vulnerabilities earlier this year.