100+ Lenovo laptop models affected by UEFI BIOS vulnerabilities
Internet security company ESET recently identified a series of UEFI BIOS vulnerabilities that affect more than 100 Lenovo laptop models. By Lenovo’s estimation, more than 1 million devices are affected and need to receive a patch immediately, as advanced hackers could add hard-to-remove and even undetectable malicious firmware code.
These are the three vulnerabilities with a short description from Lenovo:
- CVE-2021-3970 - a potential vulnerability with the LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models, may allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2021-3971 - a potential vulnerability enabled by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image, could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
- CVE-2021-3972 - a potential vulnerability enabled by a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated, may allow an attacker with elevated privileges to modify secure boot settings by modifying an NVRAM variable.
Ars Technica explains that hackers can exploit this type of vulnerabilities to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs. Although the attacks might only be triggered by “advanced hackers,” the SPI bypass alone is enough to elevate the threat severity to medium.
Lenovo is providing a list for the affected models. Most of these already have patches ready to be installed, but some models will only receive a fix on May 10.