Security researchers discover serious UEFI firmware vulnerabilities affecting millions of Lenovo laptops

A team of security researchers at ESET have unearthed a trio of vulnerabilities with Lenovo laptops. More than one hundred different models of laptop are affected, meaning that millions of owners are at risk.

Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) affect UEFI firmware drivers and are extremely worrying because of the potential implications of exploitation. CVE-2021-3970 is a slightly less serious memory corruption problem, but it remains concerning.

See also:

• Forget Windows 11, Microsoft is still pushing Windows 10 to more users
• Microsoft releases KB5012643 update for Windows 11 with loads of fixes and improvements
• Microsoft brings new power user options to the Windows 11 Task Manager

The security issues affect a wide range of Lenovo devices from, in the words of ESET, "affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05".

Lenovo has published a security advisory in which it describes the severity of the flaws as "medium". The company warns users:

The following vulnerabilities were reported in Lenovo Notebook BIOS.

CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Writing about its findings in a security alert, ESET says:

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities -- CVE-2021-3971, CVE-2021-3972 -- affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.

To understand how we were able to find these vulnerabilities, consider the firmware drivers affected by CVE‑2021-3971. These drivers immediately caught our attention by their very unfortunate (but surprisingly honest) names: SecureBackDoor and SecureBackDoorPeim. After some initial analysis, we discovered other Lenovo drivers sharing a few common characteristics with the SecureBackDoor drivers: ChgBootDxeHook and ChgBootSmm. As it turned out, their functionality was even more interesting and could be abused to disable UEFI Secure Boot (CVE-2021-3972).

In addition, while investigating above mentioned vulnerable drivers, we discovered the third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3970). This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant.

ESET's post is filled with detailed information about the nature of the vulnerabilities, but what is important is what happens next. With the issues having been reported to Lenovo back in October, patches are now available for some affected devices -- but not all of them. Check out the company's security post for links to the updates that have been produced so far.

Lenovo has issued a statement about the matter, saying:

Lenovo thanks ESET for bringing to our attention an issue in drivers used in the manufacturing of some consumer notebooks. The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected. Lenovo welcomes collaboration with BIOS researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards.

Image credit: monticello / depositphotos