Lenovo has released security updates addressing vulnerabilities related to Unified Extensible Firmware Interface (UEFI) firmware drivers in its products.
While the three vulnerabilities impact more than one hundred Lenovo laptop models, it’s important to note that Lenovo considers the severity of the flaws to be medium, and that in order to exploit the flaws an attacker would need existing elevated privileges. Researchers with ESET first reported the flaws to Lenovo in October 2021, and the update release date was this week.
“UEFI threats can be extremely stealthy and dangerous,” said ESET researchers on Tuesday, while urging Lenovo customers to update their firmware. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.”
Two of the vulnerabilities affect UEFI firmware drivers that were originally meant to be used only during the manufacturing process of Lenovo notebooks. UEFI, which is technology that’s embedded in chips of modern devices, links the firmware to the operating system. Researchers said that these drivers were accidentally included in the production BIOS images, without being properly deactivated. Attackers, with existing elevated privileges, could leverage these firmware drivers to disable security measures like SPI flash protections (CVE-2021-3971) or UEFI Secure Boot (CVE-2021-3972), a feature that guarantees that only verified third-party firmware code can run in the Original Equipment Manufacturer (OEM) firmware environment. This could allow them to deploy different UEFI level implants, said researchers. The third flaw, CVE-2021-3970, is caused by an improper input validation in the System Management Interrupt (SMI) handler function. If exploited by attackers with local access and elevated privileges, this vulnerability could allow them to execute arbitrary code.
“This vulnerability can be exploited from a privileged kernel-mode process by triggering the software SMI interrupt and passing a physical address of a specially crafted buffer as a parameter to the vulnerable SW SMI handler,” said ESET researchers.
UEFI implants have gained traction over the past few years and are difficult to detect and remove. Previously uncovered implants like the FinSpy surveillance toolset and the ESPectre bootkit have leveraged EFI System Partition (ESP), which is storage space designated for some UEFI components that is generally based in the computer’s hard drive or SSD, while other implants like MoonBounce have leveraged the Serial Peripheral Interface (SPI) flash, which is a storage and data transfer component external to the hard drive.
"Even though vulnerabilities aren’t the only option for turning off or bypassing firmware security mitigations, there are many such vulnerabilities and due to the number of different firmware implementations and their complexity, many more are likely just waiting to be discovered," said ESET researchers.