More than two dozen Lenovo laptop models are vulnerable to malicious hacks that disable the secure UEFI boot process and then run unsigned UEFI apps or load bootloaders that permanently bypass a device, researchers warned Wednesday. At the same time that researchers from security firm ESET uncovered the vulnerabilities, the laptop maker released security updates for 25 models, including ThinkPads, Yoga Slims and IdeaPads. Vulnerabilities that undermine UEFI Secure Boot can be serious because they allow attackers to install malicious firmware that survives multiple OS reinstalls.
Not common, even rare
Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s firmware to its operating system. As the first piece of code executed when almost any modern machine is powered on, it is the first link in the security chain. Because UEFI resides on a flash chip on the motherboard, infections are difficult to detect and remove. Standard measures like wiping the hard drive and reinstalling the operating system have no real impact because the UEFI infection will simply re-infect the computer afterwards.
ESET said the vulnerabilities—tracked as CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432—“allow disabling UEFI Secure Boot or resetting factory default Secure Boot databases (including dbx): .” Secure Boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or resetting databases to default values allows an attacker to remove restrictions that would normally apply.
Advertising
“Changing things in firmware from the operating system is not common, even rare,” a researcher specializing in firmware security, who preferred not to be named, said in an interview. “Most people mean that to change settings in the firmware or BIOS you have to have physical access to break the DEL button at boot to get into the setup and do things there. When you can do some of the things from the operating system, that’s pretty big.”
Disabling UEFI Secure Boot frees attackers to run malicious UEFI applications, which is usually not possible because Secure Boot requires UEFI applications to be cryptographically signed. Meanwhile, factory default DBX allows attackers to load vulnerable bootable devices. In August, researchers from security firm Eclypsium identified three prominent software drivers that could be used to bypass secure boot when an attacker has elevated privileges, such as administrator on Windows or root on Linux.
The vulnerabilities can be exploited by tampering with variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are the result of Lenovo accidentally shipping Notebooks with drivers that were intended to be used only during the manufacturing process. Vulnerabilities are:
CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some Lenovo Notebook consumer devices could allow an elevated attacker to modify Secure Boot settings by changing an NVRAM variable. CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process in some consumer Lenovo Notebook devices that was inadvertently not disabled could allow an elevated attacker to modify the Secure Boot setting by changing an NVRAM variable. CVE-2022-3432: A potential vulnerability in a driver used during the build process on the Ideapad Y700-14ISK that was inadvertently not disabled could allow an elevated attacker to modify the Secure Boot setting by adjusting an NVRAM variable .
Lenovo fixes only the first two. CVE-2022-3432 will not be fixed because the company no longer supports the Ideapad Y700-14ISK, the affected end-of-life laptop model. People using any of the other vulnerable models should install patches as soon as possible. Go to the discussion…
