More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the secure UEFI boot process and then run unsigned UEFI apps or load bootloaders that permanently put a device behind the door, researchers warned Wednesday.
At the same time that researchers from security company ESET the vulnerabilities revealed, the notebook manufacturer has released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine secure UEFI boot can be serious because they allow attackers to install malicious firmware that survives multiple OS reinstallations.
Not common, even rare
Short for Unified Extensible Firmware Interface, UEFI is the software that connects a computer’s device firmware to the operating system. As the first piece of code that is executed when virtually every modern machine is turned on, it is the first link in the security chain. Since the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the operating system have no meaningful impact because the UEFI infection will simply re-infect the computer afterwards.
ESET said the vulnerabilities — tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 — “allow to disable UEFI Secure Boot or restore factory default Secure Boot databases (including dbx).” ): all easily from an operating system.” Secure boot uses databases to allow and deny mechanisms. Specifically, the DBX database stores cryptographic hashes of denied keys. By disabling or restoring default values in the databases, an attacker can remove restrictions that would normally would be in effect.
“It’s not common to change things in the operating system firmware, not even rare,” said a researcher specializing in firmware security, who prefers not to be mentioned by name, in an interview. “Most people mean that to change settings in the firmware or in the BIOS, you need physical access to press the DEL button at boot up to open the setup and do things there. If you can do some things from the operating system can do, that’s quite a big deal.”
Disabling UEFI Secure Boot gives attackers the freedom to run malicious UEFI apps, which is not normally possible because secure boot requires UEFI apps to be cryptographically signed. Meanwhile, restoring the factory default DBX allows attackers to load vulnerable bootloaders. In August, researchers at security firm Eclypsium identified three prominent software drivers that can be used to bypass secure boot when an attacker has elevated privileges, meaning administrator on Windows or root on Linux.
The vulnerabilities can be exploited by tampering with variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are a result of Lenovo inadvertently supplying notebook computers with drivers intended only for use during the manufacturing process. The vulnerabilities are:
- CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some Lenovo consumer notebook computers could allow an elevated attacker to change secure boot settings by modifying an NVRAM variable.
- CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was inadvertently not disabled could allow an elevated attacker to change the secure boot setting by using an NVRAM variable.
- CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was inadvertently not disabled could allow an elevated attacker to change the secure boot setting by NVRAM variable to adjust.
Lenovo only patches the first two. CVE-2022-3432 will not be patched as the company no longer supports the Ideapad Y700-14ISK, the end-of-life notebook model affected. People using any of the other vulnerable models should install patches as soon as possible.
Go to discussion…