Lenovo resolves UEFI firmware issues that could turn off secure boot
The vulnerabilities were introduced when Lenovo inadvertently included an early development driver in the commercial versions of their software
Lenovo has released fixes for high-severity bios vulnerabilities affecting the UEFI firmware of several Lenovo Notebooks that could enable an attacker to disable the secure boot process and run unsigned UEFI apps or load bootloaders that permanently backdoor a device.
There are a total of 25 different notebook models that are vulnerable, including various ThinkBook, IdeaPad and Yoga laptop models.
The security flaws were uncovered by researchers at ESET Research Labs, who found that by altering an NVRAM variable, they could modify the secure boot settings.
The Unified Extensible Firmware Interface (UEFI) is important software that resides inside a flash memory chip, soldered to a computer's motherboard. It is the first software to execute when a system boots up, allowing it to access and control all hardware components as well as various parts of the machine's operating system.
The UEFI Secure Boot process ensures that only trusted components and software are loaded.
Because UEFI lives inside a memory chip, malware injected into it can survive reboots, formats and OS reinstalls, enabling threat actors to maintain their presence on compromised systems.
The now-fixed Lenovo UEFI vulnerabilities were introduced when the company inadvertently included an early development driver in the commercial versions of their software.
This driver had the ability to modify the secure boot settings from the OS. This means the vulnerabilities were not the result of a flaw in the code but rather a practical error in the form of the erroneous driver being included on production devices.
"The affected drivers were meant to be used only during the manufacturing process but were mistakenly included in the production," explains the Twitter thread by ESET.
The first issue fixed by Lenovo and indexed as CVE-2022-3430 exists in the WMI Setup driver on some consumer Lenovo Notebook devices. It could enable an attacker with elevated privileges to alter secure boot setting by modifying an NVRAM variable.
The second flaw that has been patched is CVE-2022-3431, which could enable an attacker with elevated access to change the secure boot configuration.
There is also a third issue of a similar sort that affects just the Ideapad Y700-14ISK and is tracked under the identifier CVE-2022-3432. Lenovo said it would not patch this flaw since the vulnerable product has reached its end of life.
It is strongly recommended that users of any of the susceptible models apply fixes as soon as possible to protect their devices from attacks by malicious actors.