• Home
  • About
  • Contact us
Tech News, Magazine & Review WordPress Theme 2017
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
Technovanguard — Be at the forefront of technology news
No Result
View All Result

Millions of Lenovo devices affected by BIOS vulnerability

Justin Rowell by Justin Rowell
29.09.2022
Home Software

Millions of Lenovo notebooks are affected by a serious BIOS vulnerability. Lenovo informed its customers about the vulnerability on its support website this week. The company released firmware updates for some of the affected devices already and plans to release the remaining updates in early May.

Lenovo reveals on the website that several of its notebook devices are affected by three different vulnerabilities — CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 — that could allow attackers with elevated privileges to execute arbitrary code or disable SPI flash protections during the operating system runtime.

ESET, the security company that discovered the vulnerabilities and reported them to Lenovo, discovered that two of the vulnerabilities affect UEFI firmware drivers that were meant only for use in the manufacturing process. It appears that Lenovo did not deactivate these properly in production devices.

Affected devices and firmware fixes

Lenovo bios update

The vulnerabilities affect several Lenovo device families, including Lenovo IdeaPad 3, Flex 3, L340, Legion 5 and 7, Legion Y540, S14, S145, S540, Slim 7 and 9, V14 and V15, and Yoga Slim 7 devices. The full list of affected devices is available on the Lenovo support website.

Lenovo released updated firmware versions for some of the affected products. For others, it aims to deliver firmware updates on May 10, 2022. Devices that have reached end of servicing won’t receive firmware updates.

Some devices are not affected by all three of the vulnerabilities, but most are affected by all three of the confirmed vulnerabilities. Updated firmware drivers are provided by Lenovo; customers need to click on the device’s support link on the Lenovo website to open the driver website.

There, they need to select BIOS/UEFI to display the available firmware updates to download the update. The support page, that lists the vulnerabilities, lists the firmware versions that contain the security fixes.

The updates can be installed directly from the Windows operating system by running the downloaded executable file. A readme file is available for each firmware file, that provides instructions on installing the update on the device.

Customers may also visit the main Lenovo support website to look up updates for their devices this way.

Analysis of the vulnerabilities in Lenovo notebooks

Security company ESET reported the vulnerabilities to Lenovo in October 2021. Lenovo confirmed the vulnerabilities in November 2021 and requested a postponing of the public disclosure date to April 2022. Lenovo published the security advisory on April 18 and ESET its findings and details a day later.

The vulnerability CVE-2021-3971 can be exploited to disable SPI protections on Lenovo devices. UEFI firmware is usually stored on the in an embedded flash memory chip on the computer’s motherboard. It is connected to the processor via the Serial Peripheral Interface (SPI).

The memory is independent of the operating system, which means that it remains even if the operating system is reinstalled or another system is installed. An administrator could erase a device’s hard drive, install another operating system, and the memory would not be changed by the procure. Since it is non-volatile, it is a high-level target for threat actors.

Malwares such as LOJAX, the first UEFI rootkit found in the wild, MosaicRegressor, or MoonBounce, targeted the memory in attacks.

Manufacturers created several security mechanisms to protect the SPI flash against unauthorized modifications. The primary line of defense is “provided by the special memory-mapped configuration registers exposed by the chipset itself – the BIOS Control Register and five Protected Range registers”.

CVE-2021-3971 may be exploited by creating the NVRAM variable. Successful exploitation disables SPI flash write protections. With the variable set, the platform’s firmware will skip the execution of code that is “responsible for the setting up BIOS Control Register and Protected Range register-based SPI flash protections”.

The attacked system allows SPI flash to be modified, even when executed from non-SMM code, resulting in attackers being able to write malicious code directly to the firmware storage. SMM, System Management Mode, is used for various tasks, including the secure updating of a device’s firmware or the execution of proprietary code by OEMs.

ESET notes that any Windows administrator, with the SE_SYSTEM_ENVIRONMENT_NAME privilege, may exploit the vulnerability using the “Windows API function SetFirmwareEnvironmentVariable”.

The vulnerability CVE-2021-3972 gives attackers control over several UEFI firmware settings. Among them are the UEFI Secure Boot state or the ability to restore factory settings. Attackers may exploit the security issue for various tasks, including the disabling of Secure Boot on the device.

Secure Boot is part of the UEFI specification. Its main purpose is to verify boot component integrity to ensure that components are allowed to be executed. Secure boot uses databases to determine the trusted components. Usually, third-party UEFI drivers, applications and OPROMS are being verified, while the drivers on the SPI flash “are implicitly considered trusted”.

The disabling of Secure Boot, and thus the disabling of its component verification process, allows any component, including those that are untrusted or malicious, to be loaded during boot. Resetting the UEFI firmware to factory defaults may have severe consequences as well, especially if it would lead to the loading of components with known security vulnerabilities.

An attacker needs to set a UEFI variable on unpatched Lenovo devices to exploit the vulnerability. A Windows administrator account with the SE_SYSTEM_ENVIRONMENT_NAME privilege is required to carry out the attack during runtime of the operating system.

The third vulnerability, CVE-2021-3970, was discovered by ESET during the company’s investigation of the two other vulnerabilities. The vulnerability allows arbitrary read and write operations from and into SMRAM; this may lead to the “execution of malicious code with SMM privileges” and potentially to the “deployment of an SPI flash implant”.

Closing Words

Lenovo published a security advisory, that describes the three vulnerabilities and the affected devices, and firmware updates for most affected devices. Customers are encouraged to update the device firmware immediately to protect the device against attacks targeting the vulnerabilities.

Some devices will receive the firmware update on May 10, 2022. These remain vulnerable until at least that date. Customers may want to check the support page again on the date to download and install the update on their devices.

Several Lenovo devices won’t receive firmware updates. ESET recommends using a “TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes”.

Thank you for being a Ghacks reader. The post Millions of Lenovo devices affected by BIOS vulnerability appeared first on gHacks Technology News.


Next Post
Sleep apnea can make driving dangerous for older drivers

Sleep apnea can make driving dangerous for older drivers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

Apple’s iPhone SE to launch in early March, report says

Apple’s iPhone SE to launch in early March, report says

29.09.2022
Days Gone 2 Would Have Focused on Deacon’s Marital Issues, Fixed Swimming and Stealth

Days Gone 2 Would Have Focused on Deacon’s Marital Issues, Fixed Swimming and Stealth

29.09.2022

Trending.

Travel Business and Content Marketing: A Match Made in Heaven

Travel Business and Content Marketing: A Match Made in Heaven

07.02.2023
Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

06.01.2023
Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

30.01.2023
The Role of Technology in Transforming Healthcare Advertising

The Role of Technology in Transforming Healthcare Advertising

03.01.2023
Xbox PC app for Insiders gets a redesigned sidebar with better navigation options

Xbox PC app for Insiders gets a redesigned sidebar with better navigation options

29.09.2022
Technovanguard — Be at the forefront of technology news

Technovanguard - The latest news from the world of IT and modern technologies.

Categories

  • Computing
  • Entertainment
  • Gaming
  • Internet
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
  • Без рубрики

Tags

best bitcoin casino best bitcoin gambling site best crypto casino bitcoin gambling site btc casino FEATUREDNEWS linkedin connection message linkedin connection request template linkedin connect message examples linkedin networking message template linkedin sales message top bitcoin casinos

Recent News

Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

07.03.2023
Ukrainian NFT Collection Honors Heroes and Raises Funds for Naval Combat Drones

Ukrainian NFT Collection Honors Heroes and Raises Funds for Naval Combat Drones

17.02.2023
  • Home
  • About
  • Contact us

© 2021 technovanguard.com. Submit news release

No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space

© 2021 technovanguard.com. Submit news release