Three recently disclosed (and patched), high impact BIOS security vulnerabilities in Lenovo could lead to UEFI (Unified Extensible Firmware Interface) attacks.
Discovered by security researcher Martin Smolár and assigned with the following identifiers CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the flaws could be leveraged to deploy and execute UEFI malware in the form of SPI flash implants, such as LoJax and ESP, in the Lenovo Notebook BIOS.
Apparently, the vulnerabilities impact more than 100 consumer laptop models that have millions of users worldwide. It is also noteworthy that the flaws were caused by drivers that were meant to be used only during Lenovo’s product development stage. The list of vulnerable devices includes both affordable and expensive models, such as Ideapad-3 to models like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05.
More about CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972
According to Lenovo’s advisory, here’s how the three vulnerabilities affect the said Lenovo models:
CVE-2021-3970 has been described as “a potential vulnerability in LenovoVariable SMI Handler” which is caused by insufficient validation in some Lenovo Notebook models that may allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971 is a potential vulnerability caused by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices. The driver was mistakenly included in the BIOS image and could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
CVE-2021-3972 is a potential vulnerability, also caused by a driver used during the manufacturing process on some consumer Lenovo Notebook devices. The driver was mistakenly not deactivated and may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
More information on how to update your device is available in Lenovo’s advisory.
In February 2022, a least 23 new security vulnerabilities were discovered in various implementations of UEFI firmware implemented by multiple vendors, such as HP, Lenovo, Juniper Networks, and Fujitsu.
The flaws were located in Insyde Software’s InsydeH2O UEFI firmware, with most of the flaws stemming from the SMM mode (system management).
What Is UEFI?
Unified Extensible Firmware Interface (UEFI) is a technology that connects a computer’s firmware to its operating system. The purpose of UEFI is to eventually replace the legacy BIOS. The technology is installed during manufacturing. It is also the first program running when a computer is started.