• Home
  • Laptops
  • Laptops News
  • Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Several models across the company’s IdeaPad, Legion, and Yoga portfolios are vulnerable to the flaws.

Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Photo Credit: Unsplash/ Buhai Alexandru Constantin

The Lenovo security vulnerabilities were responsibly disclosed to the company in October 2021

  • Lenovo issued a security advisory for the flaws on April 18
  • Affected Lenovo customers can download and install updated firmware
  • Lenovo laptops that are currently out of support will not be fixed

Lenovo has issued a security advisory related to three security vulnerabilities found on several laptops. The flaws affect over 100 Lenovo laptop models, across the company's IdeaPad, Legion, and Yoga portfolios. Using the vulnerabilities, an attacker might be able to disable the Unified Extensible Firmware Interface (UEFI) Secure Boot feature and execute arbitrary code on the laptop. The manufacturer has advised users with affected laptop models to update to the latest firmware for these devices from the official website, in order to stay protected.

Three vulnerabilities were discovered by ESET researchers and affect the UEFI Secure Boot feature, which is designed to verify and load trusted code when the laptop is booted. They were responsibly disclosed by the researchers to Lenovo in October 2021. The vulnerabilities were confirmed by the company in November and were assigned three CVEs (Common Vulnerabilities and Exposures) — CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, and a security advisory was published by the manufacturer on Monday.

According to ESET, which has published a detailed technical analysis of the security flaws, two of the vulnerabilities — CVE-2021-3971 (SecureBackDoor), and CVE-2021-3972 (ChgBootDxeHook), were introduced by the company after two UEFI firmware drivers were accidentally included in the firmware. These drivers are only used when manufacturing the laptop and can be exploited by attackers to turn off the UEFI Secure Boot feature and disable protection for the flash memory chip which stores the UEFI firmware. Security software and other solutions on the operating system will be unable to detect these threats as they execute early in the boot process — before the operating system is loaded.

In order to bypass all the security features offered by Secure Boot, UEFI threats like the ones discovered by ESET, disable the secure mechanisms designed to load trusted code. According to the researchers, all the UEFI threats discovered in the wild including LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy were able to bypass these mechanisms to execute their malicious code. Similar security flaws were also discovered in HP firmware, published by SentinelOne last month.

The researchers also found a third security flaw — or CVE-2021-3970 (LenovoVariableSmm), which could lead to arbitrary code execution in system management RAM (or SMRAM), with elevated privileges. In some cases, it can be used to activate the ChgBootDxeHook driver in order to disable UEFI Secure Boot feature, according to the researchers at ESET. All three security vulnerabilities discovered require the attacker to have local access to the device, but it is worth noting that Lenovo has assigned the flaws a “Medium” severity level in its advisory.

Over 100 consumer laptop models used by millions of users are affected by the security flaws, according to the researchers. Users who own devices that have active development support can download the latest firmware update for their laptop from Lenovo's Advisory website. However, several other affected devices won't be fixed as they have reached End of Development Support (EODS). However, these users can use a TPM-aware full-disk encryption to make disk data inaccessible if the UEFI Secure Boot configuration has been modified, according to the ESET researchers.

Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

David Delima
As a writer on technology with Gadgets 360, David Delima is interested in open-source technology, cybersecurity, consumer privacy, and loves to read and write about how the Internet works. David can be contacted via email at DavidD@ndtv.com, on Twitter at @DxDavey, and Mastodon at mstdn.social/@delima. More
Binance US Wins Money Transmitter Licence in Puerto Rico, Aims to Bag Permits Globally
Brave Browser Now Lets Users Bypass Google’s AMP Pages
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »