Lenovo has released fixes for a trio of vulnerabilities in the UEFI firmware used in many of its laptops that could allow an attacker to disable the secure boot process and run unsigned UEFI apps or restore the device to the factory default database and load known-vulnerable bootloaders.
The vulnerabilities affect a long list of Lenovo notebooks, and the company has released updates for all of the still-supported devices that are affected. One of the flaws (CVE-2022-3432) only affects the Lenovo Ideapad Y700-14ISK, which is no longer supported and won’t be updated. But the other two bugs (CVE-2022-3430 and CVE-2022-3431) affect many other IdePad, ThinkBook, Yoga, and Slim 7 models.
Researchers at ESET Research Labs discovered the vulnerabilities in the Lenovo Notebook BIOS and found that by modifying an NVRAM variable they could modify the secure boot settings. Secure boot is the process used during the startup process of a computer that ensures that only trusted components and software are loaded. It’s designed to prevent malicious or modified firmware and other components from being loaded.
The bugs that the ESET researchers found are located in drivers that were meant to be used only during the manufacturing process and were mistakenly included in the firmware loaded on the products.
“A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable,” the Lenovo advisory for CVE-2022-3431 says.
CVE-2022-3432 is virtually identical, but is in a different driver.
Lenovo has released updates for the affected products and is encouraging users of those models to update their devices as soon as possible.