ESET cybersecurity experts have discovered three security flaws in hundreds of different Lenovo laptop models that could put millions of users at risk.
ESET said that exploiting these vulnerabilities would allow attackers to successfully deploy and execute UEFI malware in the form of SPI flash implants like LoJax or ESP implants like ESPecter.
A total of three vulnerabilities were discovered, now tracked as CVE-2021-3970, CVE-2021-3971 (also known as SecureBackDoor and SecureBackDoorPreim), and CVE-3972 (SMM memory corruption in SW SMI manager role).
Bypass security measures
The first two can be enabled to disable SPI flash protections (BIOS control register bits and protection range registers) or UEFI Secure Boot from a privileged user mode process while the system is running. The third, ESET explains, can allow an attacker to execute malicious code with SMM privileges, which could lead to the implementation of a flash SPI implant.
According to ESET researcher Martin Smolár, what makes them extremely dangerous is that they allow the exploitation of UEFI threats that are executed early in the boot process, before transferring control to the operating system.
This means they can bypass "almost all of the security measures and mitigations higher in the stack that could prevent your operating system payloads from running," he said.
This is not the first UEFI threat discovered. However, all of them (including LoJax, MosaicRegressor, MoonBounce, ESPecter, or FinSpy) must bypass or disable device security mechanisms for them to work.
The UEFI boot and runtime services are essential to the operation of any endpoint, as drivers and applications require them to function properly.
ESET researchers "strongly" recommend all Lenovo laptop owners to review the list of affected devices found here and update the firmware according to the manufacturer's instructions.
Owners whose devices have reached the end of their useful life can use a TPM-compliant full disk encryption solution capable of rendering data on the disk inaccessible by changing the UEFI Secure Boot settings, ESET concluded.