Lenovo says it has fixed two major security vulnerabilities that plague many of its ThinkBook, IdeaPad, and Yoga laptops, and is now urging users to adopt the fix as soon as possible.
Due to human error, the issues mean that a threat actor could potentially deactivate the UEFI Secure Boot tool, allowing them to load and run malicious code during the computer’s boot process (before the operating system boots).
Loading malware before the operating system renders most antivirus solutions unusable, and the malware can even withstand OS reinstallations.
Wrong, not a bug
ESET researchers discovered that Lenovo accidentally added an early development driver that contained these bugs and enabled the attacks – so this isn’t really a bug in the code, but rather a man-made one.
“The affected drivers were intended to be used only during the manufacturing process, but were incorrectly involved in production,” explains ESET in a Twitter thread (opens in new tab).
To exploit the flaws, threat actors would have to build a special NVRAM variable, further reinforcing ESET’s conclusion that UEFI firmware developers should not use NVRAM as trusted storage.
The two vulnerabilities in question are tracked as CVE-2022-3430 and CVE-2022-3431. The media also mentioned a third similar vulnerability, tracked as CVE-2022-3432, but it affects only one Lenovo model – the Ideapad Y700-14ISK. Since this device has already reached the end of its life, Lenovo said it would not release a fix.
Those who think they are vulnerable to the aforementioned flaws should go to Lenovo’s security bulletin and see if their model is on the list. The versions of the firmware that fix these errors are listed under the CVE IDs.
This is not the first time Lenovo users have had to update their firmware to protect them from boot hijacking.
In July 2021, three serious security vulnerabilities were discovered and patched on a number of Lenovo laptops. Even then, ESET researchers discovered the issue in the ReadyBootDxe driver used by some Lenovo notebooks, as well as two buffer overflow issues in the SystemLoadDefaultDxe driver, which could have allowed threats to hijack the boot routine of Windows installations.
The Lenovo lines Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540 and S940 were all affected, with more than 70 endpoint models.
The vulnerabilities were tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892.
Through: BleepingComputer (opens in new tab)