The IT security specialist Eset warns of a security vulnerability in notebooks from the manufacturer Lenovo. Owners of affected devices are advised to update their firmware immediately. […]
Millions of Lenovo users should update the firmware of their devices as soon as possible – this is the urgent recommendation of the cybersecurity manufacturer Eset. According to the company’s own data, researchers have discovered three dangerous vulnerabilities on the devices that open the door to attackers on the laptops.
For example, fire-dangerous UEFI malware, such as Lojax or ESPecter, could be introduced via the security leaks, the Eset specialists write in a blog post on WeLiveSecurity. The Unified Extensible Firmware Interface (UEFI) is the firmware of the motherboard and is so valuable for cybercriminals because they can read and manipulate hardware information on the fly. Since UEFI is started even before the operating system, it is possible to implement resistant malware here.
In total, the risk list includes more than 100 different models from the manufacturer Lenovo, which were also published in the online article.
Install updates immediately or use TPM solution
Eset researchers advise all owners of Lenovo laptops to look at the list of affected devices and update their firmware according to the manufacturer’s instructions.
If devices no longer receive manufacturer updates and are affected by the UEFI SecureBootBackdoor (CVE-2021-3970), the experts recommend using a so-called “Trusted Platform Module” solution (TPM) for full disk encryption. As a result, the hard disk data is inaccessible when the UEFI secure boot configuration is changed, Eset writes.
“UEFI malware can go unnoticed for a long time and represents an immense threat potential,” warns Eset researcher Martin Smolár, who discovered the vulnerabilities. “The malicious programs are executed early in the boot process, before the operating system starts. This means that they bypass almost all security measures and restrictions at higher levels against malicious code,” he adds. “Our discovery of these UEFI backdoors shows that in some cases the deployment of these specific threats is not as difficult as expected.
The greater number of UEFI threats found in recent years suggests that attackers are aware of this, ” he adds. “All UEFI threats discovered in recent years, such as LoJax, MasaicRegressor, MoonBounce, ESPecter or Finspy, had to bypass or disable the security mechanisms in some way,” Smolár reports.
“Secure” backdoors deactivates UEFI Secure Boot function
The first two of these vulnerabilities (CVE-2021-3970, CVE-2021-3971) are described as “secure” backdoors built into the UEFI firmware, according to Eset. The reason for this designation is the names given to Lenovo UEFI drivers that implement one of these vulnerabilities (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim.
These built-in backdoors could be enabled to disable SPI flash protection (BIOS control register bits and protection range registers) or UEFI Secure boot function from a privileged user mode process while the operating system is running, Eset writes.
In addition, the investigation of the binary files of the “secure” backdoors has revealed a third vulnerability (CVE-2021-3972), it continues. This allows arbitrary read / write access from / to System Management RAM (SMRAM for short), which can lead to the execution of malicious code with higher privileges.
*Jens Stark is an author at COM!professional.