Technology News
  • Home
  • Laptops
  • Laptops News
  • Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Several models across the company’s IdeaPad, Legion, and Yoga portfolios are vulnerable to the flaws.

By David Delima | Updated: 20 April 2022 18:38 IST
Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches

Photo Credit: Unsplash/ Buhai Alexandru Constantin

The Lenovo security vulnerabilities were responsibly disclosed to the company in October 2021

Highlights
  • Lenovo issued a security advisory for the flaws on April 18
  • Affected Lenovo customers can download and install updated firmware
  • Lenovo laptops that are currently out of support will not be fixed
Advertisement

Lenovo has issued a security advisory related to three security vulnerabilities found on several laptops. The flaws affect over 100 Lenovo laptop models, across the company's IdeaPad, Legion, and Yoga portfolios. Using the vulnerabilities, an attacker might be able to disable the Unified Extensible Firmware Interface (UEFI) Secure Boot feature and execute arbitrary code on the laptop. The manufacturer has advised users with affected laptop models to update to the latest firmware for these devices from the official website, in order to stay protected.

Three vulnerabilities were discovered by ESET researchers and affect the UEFI Secure Boot feature, which is designed to verify and load trusted code when the laptop is booted. They were responsibly disclosed by the researchers to Lenovo in October 2021. The vulnerabilities were confirmed by the company in November and were assigned three CVEs (Common Vulnerabilities and Exposures) — CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, and a security advisory was published by the manufacturer on Monday.

According to ESET, which has published a detailed technical analysis of the security flaws, two of the vulnerabilities — CVE-2021-3971 (SecureBackDoor), and CVE-2021-3972 (ChgBootDxeHook), were introduced by the company after two UEFI firmware drivers were accidentally included in the firmware. These drivers are only used when manufacturing the laptop and can be exploited by attackers to turn off the UEFI Secure Boot feature and disable protection for the flash memory chip which stores the UEFI firmware. Security software and other solutions on the operating system will be unable to detect these threats as they execute early in the boot process — before the operating system is loaded.

In order to bypass all the security features offered by Secure Boot, UEFI threats like the ones discovered by ESET, disable the secure mechanisms designed to load trusted code. According to the researchers, all the UEFI threats discovered in the wild including LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy were able to bypass these mechanisms to execute their malicious code. Similar security flaws were also discovered in HP firmware, published by SentinelOne last month.

The researchers also found a third security flaw — or CVE-2021-3970 (LenovoVariableSmm), which could lead to arbitrary code execution in system management RAM (or SMRAM), with elevated privileges. In some cases, it can be used to activate the ChgBootDxeHook driver in order to disable UEFI Secure Boot feature, according to the researchers at ESET. All three security vulnerabilities discovered require the attacker to have local access to the device, but it is worth noting that Lenovo has assigned the flaws a “Medium” severity level in its advisory.

Over 100 consumer laptop models used by millions of users are affected by the security flaws, according to the researchers. Users who own devices that have active development support can download the latest firmware update for their laptop from Lenovo's Advisory website. However, several other affected devices won't be fixed as they have reached End of Development Support (EODS). However, these users can use a TPM-aware full-disk encryption to make disk data inaccessible if the UEFI Secure Boot configuration has been modified, according to the ESET researchers.

Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Lenovo, UEFI, UEFI Vulnerabilities, UEFI Secure Boot, Secure Boot
David Delima
David Delima
As a writer on technology with Gadgets 360, David Delima is interested in open-source technology, cybersecurity, consumer privacy, and loves to read and write about how the Internet works. David can be contacted via email at DavidD@ndtv.com, on Twitter at @DxDavey, and Mastodon at mstdn.social/@delima. More
Binance US Wins Money Transmitter Licence in Puerto Rico, Aims to Bag Permits Globally
Brave Browser Now Lets Users Bypass Google’s AMP Pages

Related Stories

Lenovo UEFI Security Flaws Affecting Over 100 Laptop Models Discovered, Company Issues Firmware Patches
Comment
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OnePlus 11R Solar Red With 8GB RAM, 128GB Storage Debuts in India: See Price
  2. OTT Releases This Week: Rebel Moon Part 2, Article 370 and More
  3. Ray-Ban Meta Smart Glasses: Versatile and Practical
  4. Llama 3 Powered Meta AI Can Now Add Animation to Generated Images
  5. Meta Claims Its Newly Launched Llama 3 AI Outperforms Gemini 1.5 Pro
  6. Samsung Galaxy F15 5G Gets new 8GB RAM Variant in India: Price, Offers
#Latest Stories
  1. Xiaomi 14 Series 'AI Treasure Chest' With Several AI Tools in Testing, Could Debut This Year: Report
  2. Redmi Note 13 5G Series HyperOS Update Based on Android 14 Begins Rolling Out in India
  3. YouTube Reportedly Rolling Out Support for 8K Resolution Videos on the Meta Quest
  4. Lenovo Yoga Slim 7 (2024) Design Spotted in Leaked Renders; Could Debut as First Snapdragon X Elite Laptop
  5. Samsung Galaxy Z Flip 6 With Snapdragon 8 Gen 3 SoC for Galaxy Allegedly Surfaces on Geekbench
  6. Itel S24 India Launch Teased; Confirmed to Come With 108-Megapixel Main Camera, MediaTek Helio G91 SoC
  7. BWA Lays Down Self-Regulatory Guidelines on Token Listings for Indian Crypto Exchanges
  8. Samsung Galaxy F15 5G With 8GB RAM, 128GB Storage Launched in India: Price, Offers
  9. OnePlus 11R 5G Solar Red Variant With 8GB RAM, 128GB Storage Launched in India
  10. Adobe Express Mobile App With Firefly AI Is Now Available Globally
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »