Lenovo has published a security advisory regarding vulnerabilities in the Unified Extensible Firmware Interface (UEFI) in at least 100 laptop models. A firmware update fixes the problem.
Millions of laptops – some 100 different models – from Lenovo are at risk if they are not quickly updated with new UEFI firmware. Researchers from security company ESET discovered three serious security vulnerabilities in Lenovo laptops in October last year, more specifically in the UEFI firmware: the successor to the still better-known BIOS and the piece of firmware that manages all hardware in a computer and in the first place ensures that your computer can startup.
The vulnerabilities would allow hackers to install and run dangerous UEFI malware like LoJax and ESPecter. UEFI threats can be very stealthy and dangerous because they run early in the boot process before control is transferred to the operating system such as Windows.
The bugs (CVE-2021-3970, CVE-2021-3971, CVE-2021-3972, nvdr) are found in the UEFI firmware of about 100 consumer laptop models such as the IdeaPad 3 series or certain models from the Yoga Slim 7 and 9 and Legion 5 Pro series. Altogether, according to ESET, this involves millions of devices.
The security company informed Lenovo immediately after the discovery of the problems. The good news is that the necessary firmware updates are now available. The less good news is that probably not everyone is in a hurry to install the updates on a smoothly run system. Lenovo lists all affected laptops here and links where firmware updates can be downloaded. Lenovo and ESET recommend updating the system firmware version to the latest available version.
Two of the three security vulnerabilities have arisen due to two UEFI drivers – SecureBackDoor and SecureBackDoorPeim – deployed during the manufacturing process. The bottom line is that those loopholes unintentionally remained open after production. As a result, malicious ‘implants’ can be added to UEFI through loopholes. That is potentially very dangerous because they are loaded before the operating system boots. ESET has discovered two such implants in the past.
In 2018, it stumbled upon Lojax: a rootkit deployed by Russian-sponsored organizations such as APT28, Fancy Bear, Strontium and Sednit. Last year, ESET also discovered ESPecter, which then turned out to be the boot kit for BIOS systems used since 2012. In the past two years, ESET competitor Kaspersky also found some UEFI threats, such as MosaicRegressor (2020), Finspy (2021) and MoonBounce early this year.