Researchers warned Wednesday that more than two dozen Lenovo laptop models are vulnerable to malicious hacks that disable the UEFI secure boot process and then run unsigned UEFI applications or permanently mount a bootloader that compromises the device.
At the same time, researchers from the security company ESET . said Detecting weaknesseslaptop maker Release security updates 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine UEFI Secure Boot can be dangerous because they allow attackers to install malicious firmware that survives multiple OS reinstalls.
Not common, but rare
Short for Unified Extensible Firmware Interface, UEFI is the software that connects a computer’s firmware to its operating system. As the first piece of code that runs when you turn on almost any modern device, it’s the first link in the security chain. Because UEFI is located in a flash chip on the motherboard, it is difficult to detect and remove the infection. Typical actions such as wiping the hard drive and reinstalling the operating system have no appreciable effect because the UEFI infection will then re-infect the computer.
ESET said that the vulnerabilities — tracked as CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432 — “allow UEFI Secure Boot to be disabled or to restore factory default Secure Boot databases (including dbx): All simply from an operating system.” Secure Boot uses databases to allow and deny mechanisms. A DBX database, in particular, stores cryptographic hashes of rejected keys. Disabling or restoring default values in databases allows an attacker to remove restrictions that would normally be in effect.
“Changing things in the firmware from the operating system is not common, but rather rare,” a researcher specializing in firmware security, who preferred not to be named, said in an interview. “Most people mean that to change settings in the firmware or in the BIOS, you have to have physical access to smash the DEL button on boot to get into setup and do things there. When you can do a few things from the operating system, that’s kind of the big deal.”
Disabling UEFI Secure Boot frees attackers to execute malicious UEFI applications, which is usually not possible because Secure Boot requires cryptographically signing UEFI applications. Meanwhile, restoring the factory default DBX allows attackers to load a vulnerable bootloader. In August, researchers from the security company Eclypsium I identified three prominent drivers They can be used to bypass secure boot when the attacker has elevated privileges, i.e. admin on Windows or root on Linux.
Vulnerabilities can be exploited by tampering with variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are caused by Lenovo accidentally shipping laptops with drivers that were designed only for use during the manufacturing process. Weak points are:
- CVE-2022-3430: A possible vulnerability in the WMI Setup driver on some consumer Lenovo Notebooks could allow an elevated attacker to modify Secure Boot settings by changing the NVRAM variable.
- CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebooks that was not accidentally deactivated could allow an elevated-privileged attacker to modify the Secure Boot setting by changing the NVRAM variable.
- CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was not accidentally deactivated could allow an elevated-privileged attacker to modify the Secure Boot setting by setting the NVRAM variable.
Lenovo only corrects the first two. CVE-2022-3432 will not be patched because the company no longer supports the Ideapad Y700-14ISK, the end-of-life laptop model that was affected. People using any of the other vulnerable models should install the patches as soon as possible.
“Typical beer trailblazer. Hipster-friendly web buff. Certified alcohol fanatic. Internetaholic. Infuriatingly humble zombie lover.”