The Slovak IT security provider Eset warns together with the manufacturer Lenovo before its consumer laptops. A total of over 100 different models are affected: from inexpensive devices such as the Ideapad 3 to gaming machines such as the Legion 7 and the new Yoga Slim products.
Security researchers from Eset discovered three vulnerabilities that “open the floodgates to the laptops for attackers,” as the security provider writes. The first two vulnerabilities affect the UEFI drivers. The abbreviation stands for Unified Extensible Firmware Interface. The module is part of the mainboard’s firmware and enables, among other things, security functions such as Secure Boot – i.e. starting the computer in a safe mode.
This means that attackers could inject malware onto the laptops at the mainboard level. “UEFI malware can go unnoticed for a long time and represents an immense threat potential,” says Eset researcher Martin Smolár, who discovered the vulnerabilities. “The malicious programs are executed early in the boot process, before the operating system starts.” Thus, they would bypass almost all security measures against malicious programs at the higher levels.
For the first two vulnerabilities (CVE-2021-3970, CVE-2021-3971) are actually “secure” backdoors built into the UEFI firmware. These should only be able to be used during the manufacturing process of the laptops. However, they were not properly deactivated in the delivered models. Cyber criminals could now use these backdoors to disable SPI flash protection (BIOS control register bits and protection range registers) or UEFI Secure Boot feature from a privileged user mode process while the operating system is running.
update or encrypt
A closer look at the binaries of these backdoors, according to Eset, revealed the third vulnerability (CVE-2021-3972). This enables random read and write access to the system management RAM. This allows attackers to run malicious code with higher privileges.
Eset recommends that Lenovo customers review the affected devices list and update their firmware according to the manufacturer’s instructions. The list was provided by Lenovo here released.
There are also devices that are affected by the UEFI SecureBootBackdoor (CVE-2021-3970) vulnerability, but no longer receive updates from the manufacturer. Anyone who owns such a device should switch to a Trusted Platform Module solution. This encrypts the hard drives and makes the data inaccessible to cyber criminals.
If you want to read more about UEFI malware and what makes it so special and dangerous, you can Here is an interview with Eset expert Thomas Uhlemann about the UEFI malware Lojax read. “Once you’re infected, it’s actually already too late.”
If you want to read more about cybercrime and cybersecurity, Sign up for the Swisscybersecurity.net newsletter here. The portal provides daily news about current threats and new defense strategies.