Skip links

ESET uncovers vulnerabilities in Lenovo laptops

Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET.

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature.

“UEFI threats can be extremely stealthy and dangerous,” said ESET researcher Martin Smolár, who discovered the vulnerabilities. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed.”

For the devices affected by CVE-2021-3971 and CVE-2021-3972 (consumer Lenovo Notebook hardware, by the look of things), Lenovo’s advice is to grab an update for the firmware. Some updates, however, will not be available until May.

CVE-2021-3970, which ESET researchers uncovered while digging into the other vulnerabilities, is a memory corruption issue, which could lead to deployment of an SPI flash implant.

Lenovo’s advisory describes CVE-2021-3970 as a “potential vulnerability in Lenovo Variable SMI Handler due to insufficient validation in some Lenovo Notebook models [that] may allow an attacker with local access and elevated privileges to execute arbitrary code.”

Lenovo deemed the trio to be of “medium” severity. ESET noted that an attacker would require administrative privileges carry out their misdeeds.

SPI flash is a memory chip used for platform firmware code, such as UEFI firmware. It should be protected, but the vulnerability in the System Management Interrupt (SMI) handler could mean access to the highly privileged System Management Mode (SMM) of the processor, which has access to normally hardware-protected memory.

“All of the real-world UEFI threats discovered in the last few years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” said Smolár.

ESET flagged up LoJax in 2018, and detailed how the UEFI rootkit slithered onto Windows PCs in 2019. Victims were tricked into running some code that hijacked a vulnerable driver. That in turn was loaded by the UEFI firmware during startup and, hey presto, the rootkit was installed. Getting rid of it would require a reflash of the board’s SPI memory.

ESET reported the latest vulnerabilities to Lenovo in October last year, and says the list of affected devices numbers more than a hundred models with millions of users worldwide. According to ESET, Lenovo confirmed the vulnerabilities on November 17 2021, and the CVEs were assigned.

The recommendation remains to follow Lenovo’s instructions with regard to updating one’s firmware. For End Of Development Support (EODS) devices affected by the CVE-2021-3972, ESET suggested “using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes.”

The Register contacted Lenovo for comment beyond its advisory, but the company has yet to respond. ®