How does an unpatched UEFI (Unified Extensible Firmware Interface) vulnerability in Lenovo ThinkPad firmware sound? This is exactly the type of vulnerability independent security researcher Dmytro Oleksiuk recently “stumbled upon” – a zero-day that exists not only in Lenovo but also in products from other vendors such as HP and Gigabyte Technology.
The exploit code, referred to as ThinkPwn by the researcher, functions on the level of the UEFI shell that can be accessed at boot time. Furthermore, the code can even be altered to run at the OS level which is similar to what malware operators usually do.
Related: Firmware Scan Added to VirusTotal
Lenovo’s UEFI Zero-day/ ThinkPwn Vulnerability Explained
The vulnerability stems from the source code of SMM (System Management Mode) which can be found in UEFI firmware packages. Oleksiuk successfully created an exploit code, ThinkPwn, that compromises the vulnerability and disables UEFI write protections. The result? The device’s firmware is altered.
Things get quite serious as the researcher could also easily disable the Secure Boot option in Windows. The marketed as the safest Windows OS ever, Windows 10, is also leveraged as its built-in security settings (Device Guard) can be disabled, too.
According to the researcher, the issue in Lenovo ThinkPad laptops can also reside in other OEMs, too. Some of HP’s machines are also believed to be prone to the exploit.
What Does Lenovo Say about the UEFI/ ThinkPwn Vulnerability?
Oleksiuk actually released the information about the exploit without first notifying Lenovo. According to Lenovo, the issue doesn’t reside in the UEFI code added by its engineers, but on top of the IBV code provided by Intel.
This is part of the company’s statement, which somewhat contradicts the researcher’s findings:
Lenovo’s Product Security Incident Response Team (PSIRT) is fully aware of the uncoordinated disclosure by an independent researcher of a BIOS vulnerability located in the System Management Mode (SMM) code that impacts certain Lenovo PC devices. Shortly after the researcher stated over social media that he would disclose a BIOS-level vulnerability in Lenovo products, Lenovo PSIRT made several unsuccessful attempts to collaborate with the researcher in advance of his publication of this information.
The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose.