Cybersecurity experts from ESET have found three security flaws in hundreds of different Lenovo laptop (opens in new tab) models which could put millions of users at risk.
ESET said exploiting these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter.
In total, three vulnerabilities have been discovered, which are now tracked as CVE-2021-3970, CVE-2021-3971 (also known as SecureBackDoor and SecureBackDoorPreim), and CVE-3972 (SMM memory corruption inside the SW SMI handler function).
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Bypassing security measures
The first two can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime. The third, ESET explains, can allow an attacker to execute malicious code with SMM privileges, potentially leading to the deployment of an SPI flash implant.
What makes them extremely dangerous, says ESET researcher Martin Smolár, is that they allow for the exploitation of UEFI threats that are executed early in the boot process, before transferring control to the operating system.
That means they can bypass “almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” he said.
> Billions of Windows and Linux devices at risk of hijacking (opens in new tab)
> This bootkit has been used to backdoor Windows devices for almost a decade (opens in new tab)
> Intel, Lenovo and more hit by major BIOS security flaws (opens in new tab)
This is not the first UEFI threat that’s been discovered. All of them, however (including LoJax, MosaicRegressor, MoonBounce, ESPecter, or FinSpy) need to bypass or disable the device’s security mechanisms in order to work.
The UEFI boot and runtime services are essential for the operation of any endpoint (opens in new tab), as drivers and applications need them to properly run.
ESET’s researchers are “strongly” advising all Lenovo laptop owners to go through the list of affected devices found here (opens in new tab), and update the firmware as per the manufacturer’s instructions.
Owners whose devices reached end-of-life can use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes, ESET concluded.
- No security stack is complete without a great firewall (opens in new tab)