Lenovo says it has fixed two major security vulnerabilities plaguing many of its ThinkBook, IdeaPad, and Yoga laptops, and is now urging users to apply the fix as soon as possible.
Due to human error, the issues mean that a threat actor would potentially be able to deactivate the UEFI Secure Boot tool, letting them load and execute malicious code during the computer boot process (before the OS is brought up).
Having malware loaded before the OS renders most antivirus solutions useless, and makes the malware resilient even to OS reinstalls.
Mistake, not a bug
Researchers from ESET found Lenovo included an early development driver by mistake, which carried these flaws and made the attacks possible – so this isn’t exactly a bug in the code, but rather a man-made mistake.
“The affected drivers were meant to be used only during the manufacturing process but were mistakenly included in the production,” ESET explained in a Twitter thread (opens in new tab).
To exploit the flaws, threat actors would need to build a special NVRAM variable, further reinforcing ESET’s conclusion that UEFI firmware devs shouldn’t use NVRAM as trusted storage.
The two vulnerabilities in question are tracked as CVE-2022-3430 and CVE-2022-3431. The media also mentioned a third similar vulnerability, tracked as CVE-2022-3432, but this one affects only one Lenovo model – the Ideapad Y700-14ISK. Given that this device has already reached its end-of-life, Lenovo said it would not be issuing a fix.
Those who believe to be vulnerable to the abovementioned flaws should go to Lenovo’s security bulletin and see if their model is on the list. The versions of the firmware that fix these flaws are listed under the CVE IDs.
This is not the first time Lenovo users have had to update their firmware to protect against boot hijacks.
In July 2021, three serious security vulnerabilities were discovered and patched, across a number of Lenovo laptops. Even then, ESET’s researchers uncovered the issue in the ReadyBootDxe driver used by some Lenovo notebooks, as well as two buffer overflow issues found in the SystemLoadDefaultDxe driver, potentially allowing threat actors to hijack the startup routine of Windows installations.
The Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540, and S940 Lenovo lines were all affected, counting more than 70 endpoint models.
The vulnerabilities were tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892.
Via: BleepingComputer (opens in new tab)