Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability
Mistakenly used drivers could allow hackers to modify the secure boot process
Lenovo has released patches to address two vulnerabilities that could have allowed cyber criminals to run malicious code through the deactivation of UEFI Secure Boot.
Researchers at ESET first discovered the vulnerabilities, tracked as CVE-2022-3430 and CVE-2022-3431, which, if exploited, could lead to threat actors circumventing the basic security functions of a victim’s operating system (OS). These bugs carry a severity rating of ‘high’.
The vulnerabilities affect 25 devices across the ThinkBook, Yoga and IdeaPad ranges in total, although not all these devices are affected by both vulnerabilities. As these devices are heavily used in business settings, employees could be adversely affected by the flaw and potentially sustain damage to sensitive data.
The flaw, which sits within a driver in the affected devices, allows for attackers to alter a variable in non-volatile random access memory (NVRAM) to modify the secure boot setting of a device. This was not due to an error in the code of the affected drivers, but rather because the affected devices were mistakenly equipped with drivers intended for use only during manufacturing, with relaxed control over secure boot settings from within the OS.
UEFI flaws are severe, as they allow for threat actors to alter critical device processes, and potentially install malware within the victim’s flash memory. For example, threat actors could use such a flaw to install a rootkit, which could carry out malicious activity while remaining very hard to detect, and can even survive OS reinstallation.
“Secure boot is built on a hierarchy of trust typically rooted in technologies fixed in the hardware of a device,” Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester.
“Such systems are used to ensure that despite any exploitation of a vulnerability during the normal operation of a system it can be recovered through a reboot. It is therefore essential that by design, the secure boot of a system cannot be altered while in normal operation. Unfortunately, all software should be considered to contain vulnerabilities, and therefore it’s essential that during normal operation no mechanisms can circumvent secure boot.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“Although a move to using digital secure by design execution of software will significantly reduce the opportunity to exploit vulnerabilities, any mechanism in which an exploitation of normal operations can take control of secure boot means they are open to ransomware and other denial of service attacks and highlights the need for trust across the various components of secure boot.”
The Ideapad Y700-14ISK is affected by a third vulnerability, tracked as CVE-2022-3432, which comprises another driver flaw that results in a similar modification of the secure boot sweating. However, Lenovo will not release a fix for this as the device has exceeded its developer support lifecycle.
This is not the first time that Lenovo has had to release such a patch. In April, ESET researchers discovered more than 100 Lenovo models vulnerable to UEFI malware attacks, also as a result of manufacturing drivers mistakenly left on the devices.
Similar concerns have been raised in the past, with Dell BIOS vulnerabilities found in 2021 enabling threat actors to execute malicious code at UEFI level on an estimated 30 million devices, and researchers from Advanced Intelligence and Eclypsium having found a variant of the Trickbot malware that can brick devices at UEFI level in 2020.
ESET recommends that those using the affected devices update their firmware version immediately.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.