'ThinkPwn' UEFI bug discovered on a wide range of notebooks

A vulnerability relating to specific UEFI drivers has been discovered by Dmytro Oleksiuk (aka Cr4sh) and has been dubbed 'ThinkPwn' since the bug was first discovered on a Lenovo ThinkPad system. The bug, however, is not limited to Lenovo systems as it relates to a more generic Intel firmware that can also be found on certain systems from Dell, HP, Fujitsu, and Gigabyte. Additional manufacturers have not yet been ruled out, either.

Note that the UEFI bug requires physical access to the individual system to exploit, so users are still safe from outside attackers. Of the listed manufacturers, the following models have been proven to be vulnerable to the 'ThinkPwn' bug:

• HP Pavillion DV7 4087CL (2010)
• Fujitsu Lifebook A574/H (2013)
• Dell Latitude E6430 (2012)
• Gigabyte Mainboards from Ivy Bridge up to Broadwell (Models: Z68-UD3H, Z77X-UD5H, Z87MX-D3H, Z97-D3H)

Perhaps more alarmingly is that these systems are quite old dating back to as early as 2010, so the extent of the bug can be very wide. So far, most of these manufacturers have not publicly acknowledged the vulnerability including Intel.

Lenovo is the exception as the company has provided a list of known affected models. Accordingly, ThinkPad notebooks running on the Skylake platform are not affected by the vulnerability while older Ivy Bridge models (X230, T430, etc.) up to Broadwell models (X250, T450s, etc.) are all affected. Numerous Ideapad systems are also affected and any potential BIOS updates to patch the security flaw has not yet been released.

Source(s)