A Slovakian internet security company named ESET has discovered three vulnerabilities in various Lenovo laptop models that could allow attackers to launch UEFI malware on affected computers. According to a report from CRN, Lenovo has patched these vulnerabilities that made Lenovo laptops potential targets for malware attacks. The report from ESET said that more than 100 different Lenovo laptop models with millions of users worldwide have been found to have these vulnerabilities that can allow attackers to launch UEFI malware.
UEFI malware can be extremely stealthy and dangerous, ESET said in its report. It says that this kind of malware can bypass almost all security measures and could prevent Lenovo users from executing operating system payloads. “All of the real-world UEFI threats discovered in the last years needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” said Martin Smolár, the security researcher who discovered the vulnerability.
“The first two of these vulnerabilities – CVE-2021-3970, CVE-2021-3971 – are perhaps more accurately called “secure” backdoors built into the UEFI firmware as that is literally the name given to the Lenovo UEFI drivers implementing one of them (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime,” a release from ESET said.
The third vulnerability, SMM memory corruption allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code. SMM is a highly privileged execution mode of x86 processors. Its code is written within the context of the system firmware and is usually used to various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates.
ESET reported the discovered vulnerabilities to Lenovo in October 2021 and the PC maker has software updates available to address the issues. Lenovo also published a list of firmware updates to address the vulnerabilities in March this year.