Millions of Lenovo laptops are affected by new UEFI firmware flaws

 Lenovo consumer laptops are vulnerable to three serious UEFI security flaws, which could be exploited by cybercriminals to install and run malicious code on the systems they target.

According to ESET researcher Martin Smolár in an ESET report published today, the latter two "affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks."

Although they had been properly deactivated, they were mistakenly included in the production BIOS images, Smolár said.

Persistent malware that can withstand system reboots could be installed if an attacker successfully exploited the flaws to disable SPI flash protections or Secure Boot.

Memory corruption in the firm's System Management Mode (SMM) resulted in the execution of malicious code with the highest privileges, according to CVE-2021-3970.

Three vulnerabilities were discovered on October 11, 2021, and a patch was issued on April 12, 2022, by the PC manufacturer. Lenovo has provided a summary of the three flaws in the following section -

1. CVE-2021-3970 – A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
2. CVE-2021-3971 – A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
3. CVE-2021-3972 – A potential vulnerability by a driver used during the manufacturing process on some consumer Lenovo Notebook devices that were mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by modifying an NVRAM variable.

As many as 50 firmware vulnerabilities have been disclosed in Insyde Software's InsydeH2O, HP UEFI, and Dell since the start of this year, affecting Lenovo Flex, IdeaPads, Legion, V14, V15, and V17 series, and Yoga laptops.

Smolár warned that UEFI threats can be "extremely dangerous." In other words, because they are run before the operating system even gets a chance to take control, virtually all security and mitigation measure higher in the stack can be bypassed.