Three high-impact UEFI security vulnerabilities have been discovered in multiple Lenovo consumer laptop models, allowing malicious actors to deploy and execute firmware implants on the afflicted devices.
According to ESET researcher Martin Smolár, the CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 vulnerabilities “affect firmware drivers originally supposed to be utilised solely during the production process of Lenovo consumer notebooks.”
“Unfortunately, these were included in the production BIOS images without being properly deactivated,” Smolár continued.
If the holes are successfully exploited, an attacker may be able to disable SPI flash safeguards or Secure Boot, effectively allowing the adversary to install persistent malware that can survive system reboots.
CVE-2021-3970, on the other hand, is a case of memory corruption in the firm’s System Management Mode (SMM), which allows malicious code to run with the highest privileges.
On October 11, 2021, the three issues were reported to the PC manufacturer, and patches were released on April 12, 2022. The three problems, as described by Lenovo, are summarised below – reboots.
CVE-2021-3970 – Insufficient validation in the LenovoVariable SMI Handler in some Lenovo Notebook models might allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971 – A potential vulnerability in a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was accidentally included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by changing an NVRAM variable, according to CVE-2021-3971.
CVE-2021-3972 – A possible vulnerability in a driver used during the manufacturing process on select consumer Lenovo Notebook devices that was accidentally left turned on could allow an attacker with elevated access to manipulate secure boot settings by manipulating an NVRAM variable.
The flaws, which affect Lenovo Flex, IdeaPads, Legion, V14, V15, and V17 series, and Yoga laptops, come on the heels of the discovery of up to 50 firmware flaws in Insyde Software’s InsydeH2O, HP UEFI, and Dell since the beginning of the year.
“UEFI threats can be quite sneaky and destructive,” added Smolár. “Because they are run early in the boot process, before handing control to the operating system, they can get around practically all security protections and mitigations higher in the stack that may prevent their OS payloads from being executed.”