Three UEFI Firmware Vulnerabilities Affect Millions of Lenovo Users

Lenovo has published a security bulletin and warned of three vulnerabilities that affect its UEFI, which is used on at least 100 laptop models of the company.

By the way, we already wrote that Bugs in Lenovo laptops allow getting administrator privileges – check your Lenovo firmware versions.

All three new vulnerabilities were discovered by ESET researchers back in October last year, and they have now been fixed. In total, the bugs affect more than 100 laptop models, including the IdeaPad 3, Legion 5 Pro-16ACH6 H and Yoga Slim 9-14ITL05. This means that millions of users are working with vulnerable devices.

However, not only Lenovo has problems: for example, we wrote how Microsoft explained why Windows 10 crashes on Lenovo laptops.

Two of the three vulnerabilities (CVE-2021-3972 and CVE-2021-3971) are related to the fact that drivers that should have been used only during the production process were mistakenly included in the current UEFI firmware, exposing devices to risks.

So, bugs allowed attackers with elevated privileges to change secure boot settings (CVE-2021-3972), or change the protection region of the firmware (CVE-2021-3971). According to ESET, hackers could use these issues to “deploy and successfully run SPI flash or ESP implants.”

The third issue, CVE-2021-3970, does allow a local attacker to execute arbitrary code with elevated privileges.

ESET’s own report highlights that UEFI exploits can be extremely stealthy and dangerous, as they are executed “at the beginning of the boot process, before the OS takes control.”

In fact, this means that majority of security products and solutions that operate at the OS level are useless against such vulnerabilities, and payload execution in this case is almost inevitable and impossible to detect.

To protect against attacks related to these vulnerabilities, Lenovo recommends that users of affected devices update their firmware to the latest available versions as soon as possible.