The tech giant Lenovo has recently addressed some serious UEFI driver bugs. The vulnerabilities affected more than 100 laptop models, posing a threat to the security of millions of users globally. Since Lenovo has released the fixes, users must update their laptops to get the patches.
Lenovo UEFI Driver Bugs
In a recent post, researchers from ESET have highlighted the Lenovo UEFI driver bugs.
Briefly, two of these vulnerabilities, CVE-2021-3971 and CVE-2021-3972, appeared in Lenovo devices following the erroneous introduction of two drivers in BIOS that should have been removed. As stated in their post,
Two of these vulnerabilities… affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated.
Exploiting the drivers could allow an attacker to gain elevated privileges on the target systems. Then, the adversary could disable SPI flash protections (BIOS Control Register bits and Protected Range registers) (CVE-2021-3971) or the UEFI Secure Boot feature (CVE-2021-3972).
As explained, the researchers found the vulnerabilities after noticing the peculiar driver names “
SecureBackDoor” and “
SecureBackDoorPeim”. Analyzing them further made them catch two other drivers, “
ChgBootDxeHook” and “
ChgBootSmm” sharing some characteristics with the former two drivers.
Alongside these two vulnerabilities, the researchers also found a third vulnerability, CVE-2021-3970. Identified as an SMM memory corruption flaw in the SW SMI handler function, the bug could allow arbitrary read/write from/into SMRAM. It could let an adversary gain SMM privileges, execute codes, and even deploy SPI flash implant.
ESET confirmed that these vulnerabilities potentially affect more than 100 laptop models, excluding the EOL models.
Lenovo Patched The Bugs
The researchers discovered the bug in October 2021, after which they swiftly reached out to Lenovo to report the matter. Consequently, the tech giant started working on developing the patches and finally rolled out the fixes recently.
In its advisory, Lenovo has listed the vulnerable laptop models alongside the download links for the patches. Users must manually check their systems for updates to get the fixes and avoid any exploits.
Let us know your thoughts in the comments.