Millions of Lenovo devices affected by BIOS vulnerability

Martin Brinkmann
Apr 20, 2022
Security
|
12

Millions of Lenovo notebooks are affected by a serious BIOS vulnerability. Lenovo informed its customers about the vulnerability on its support website this week. The company released firmware updates for some of the affected devices already and plans to release the remaining updates in early May.

Lenovo reveals on the website that several of its notebook devices are affected by three different vulnerabilities -- CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 -- that could allow attackers with elevated privileges to execute arbitrary code or disable SPI flash protections during the operating system runtime.

ESET, the security company that discovered the vulnerabilities and reported them to Lenovo, discovered that two of the vulnerabilities affect UEFI firmware drivers that were meant only for use in the manufacturing process. It appears that Lenovo did not deactivate these properly in production devices.

ADVERTISEMENT

Affected devices and firmware fixes

Lenovo bios update

The vulnerabilities affect several Lenovo device families, including Lenovo IdeaPad 3, Flex 3, L340, Legion 5 and 7, Legion Y540, S14, S145, S540, Slim 7 and 9, V14 and V15, and Yoga Slim 7 devices. The full list of affected devices is available on the Lenovo support website.

Lenovo released updated firmware versions for some of the affected products. For others, it aims to deliver firmware updates on May 10, 2022. Devices that have reached end of servicing won't receive firmware updates.

Some devices are not affected by all three of the vulnerabilities, but most are affected by all three of the confirmed vulnerabilities. Updated firmware drivers are provided by Lenovo; customers need to click on the device's support link on the Lenovo website to open the driver website.

There, they need to select BIOS/UEFI to display the available firmware updates to download the update. The support page, that lists the vulnerabilities, lists the firmware versions that contain the security fixes.

The updates can be installed directly from the Windows operating system by running the downloaded executable file. A readme file is available for each firmware file, that provides instructions on installing the update on the device.

Customers may also visit the main Lenovo support website to look up updates for their devices this way.

Analysis of the vulnerabilities in Lenovo notebooks

Security company ESET reported the vulnerabilities to Lenovo in October 2021. Lenovo confirmed the vulnerabilities in November 2021 and requested a postponing of the public disclosure date to April 2022. Lenovo published the security advisory on April 18 and ESET its findings and details a day later.

The vulnerability CVE-2021-3971 can be exploited to disable SPI protections on Lenovo devices. UEFI firmware is usually stored on the in an embedded flash memory chip on the computer's motherboard. It is connected to the processor via the Serial Peripheral Interface (SPI).

The memory is independent of the operating system, which means that it remains even if the operating system is reinstalled or another system is installed. An administrator could erase a device's hard drive, install another operating system, and the memory would not be changed by the procure. Since it is non-volatile, it is a high-level target for threat actors.

Malwares such as LOJAX, the first UEFI rootkit found in the wild, MosaicRegressor, or MoonBounce, targeted the memory in attacks.

Manufacturers created several security mechanisms to protect the SPI flash against unauthorized modifications. The primary line of defense is "provided by the special memory-mapped configuration registers exposed by the chipset itself – the BIOS Control Register and five Protected Range registers".

CVE-2021-3971 may be exploited by creating the NVRAM variable. Successful exploitation disables SPI flash write protections. With the variable set, the platform's firmware will skip the execution of code that is "responsible for the setting up BIOS Control Register and Protected Range register-based SPI flash protections".

The attacked system allows SPI flash to be modified, even when executed from non-SMM code, resulting in attackers being able to write malicious code directly to the firmware storage. SMM, System Management Mode, is used for various tasks, including the secure updating of a device's firmware or the execution of proprietary code by OEMs.

ESET notes that any Windows administrator, with the SE_SYSTEM_ENVIRONMENT_NAME privilege, may exploit the vulnerability using the "Windows API function SetFirmwareEnvironmentVariable".

The vulnerability CVE-2021-3972 gives attackers control over several UEFI firmware settings. Among them are the UEFI Secure Boot state or the ability to restore factory settings. Attackers may exploit the security issue for various tasks, including the disabling of Secure Boot on the device.

Secure Boot is part of the UEFI specification. Its main purpose is to verify boot component integrity to ensure that components are allowed to be executed. Secure boot uses databases to determine the trusted components. Usually, third-party UEFI drivers, applications and OPROMS are being verified, while the drivers on the SPI flash "are implicitly considered trusted".

The disabling of Secure Boot, and thus the disabling of its component verification process, allows any component, including those that are untrusted or malicious, to be loaded during boot. Resetting the UEFI firmware to factory defaults may have severe consequences as well, especially if it would lead to the loading of components with known security vulnerabilities.

An attacker needs to set a UEFI variable on unpatched Lenovo devices to exploit the vulnerability. A Windows administrator account with the SE_SYSTEM_ENVIRONMENT_NAME privilege is required to carry out the attack during runtime of the operating system.

The third vulnerability, CVE-2021-3970, was discovered by ESET during the company's investigation of the two other vulnerabilities. The vulnerability allows arbitrary read and write operations from and into SMRAM; this may lead to the "execution of malicious code with SMM privileges" and potentially to the "deployment of an SPI flash implant".

Closing Words

Lenovo published a security advisory, that describes the three vulnerabilities and the affected devices, and firmware updates for most affected devices. Customers are encouraged to update the device firmware immediately to protect the device against attacks targeting the vulnerabilities.

Some devices will receive the firmware update on May 10, 2022. These remain vulnerable until at least that date. Customers may want to check the support page again on the date to download and install the update on their devices.

Several Lenovo devices won't receive firmware updates. ESET recommends using a "TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes".

Summary
Millions of Lenovo devices affected by BIOS vulnerability
Article Name
Millions of Lenovo devices affected by BIOS vulnerability
Description
Millions of Lenovo notebooks are affected by a serious BIOS vulnerability. Lenovo informed its customers about the vulnerability on its support website this week.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Andy Prough said on April 20, 2022 at 6:43 pm
    Reply

    “Secure Boot”, what a joke. Soon they’ll roll out “Super Duper Double Secret Secure Boot”, and charge the sheeple an extra $100 each to keep them safe from all the evil l33t haxxors.

    1. ilev said on April 20, 2022 at 7:14 pm
      Reply

      Microsoft already has a new super-duper Double Secret Secure Boot chip called : Pluton processor which it will force OEMs to use.

      https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/

      1. :-) said on April 20, 2022 at 9:14 pm
        Reply

        Not only that but AMD will have it in their next CPU gen. Intel will also in 14XXX series afaik. Soon, no one will be safe from cloud based firmware updates with 0 user interaction.
        5G connectivity will also boost this on mobile devices and everything else in your smart home in the future. You heard it here first!

      2. Uwe said on April 20, 2022 at 10:13 pm
        Reply

        Intel will integrate Pluton in the 14th generation already? So, they will skip it in Raptor Lake yet and postpone it for another year? Fall 2023?

      3. Genisis said on April 21, 2022 at 3:57 pm
        Reply

        Probably, and then 50% of the now “computer meets requirements” for Windows 11 will not meet the requirements for Win 11 or Win 12.

      4. Yuliya said on April 20, 2022 at 11:38 pm
        Reply

        >cloud based firmware updates
        I think Microsoft Surface lineup is already part of the devices capable of doing that, at least Microsoft states so, yet I’ve never seen it on my SP7. The only way to update its firmware is to download the latest driver pack from Microsoft, install it, then restart. It should update the firmware on the next boot, but I’ve never seen it doing this on its own via WU, and I even ran W11 on it for a few months. I honestly thinnk it’s too risky, people will just force shut down the device and may brick it.

  2. John G. said on April 20, 2022 at 6:46 pm
    Reply

    The BIOS is a very important or even the most important piece of the hardware. I dislike so much the way that the companies inform the users about the BIOS updates and also I dislike a lot the lack of criteria to set the updates in a right way to be understandable. For example, HP offers its BIOS updates with not too much sense, and the last days version F.61-rev.A was available, while today only version F.54-rev.A is available. Where is the version F61? I updated to F61 and now I am thinking where is the the problem that made HP to delete the latest version. However, after reading the article, Lenovo seems to have more sense to publish their updates. Thanks for the article! :]

  3. Coriy said on April 21, 2022 at 3:17 am
    Reply

    I have a Lenovo Laptop and it’s on the list of vulnerable computers. But since my laptop is out of warranty, they didn’t bother to inform me via email and the Lenovo software also kept silent. But a manual search turned showed the BIOS update and it installed no problems. As to another chip that MS requires, all I have to add is when will the governments of the world stop allowing the Big Five from having that much sway over the hardware?

  4. Lost said on April 21, 2022 at 12:27 pm
    Reply

    serial nuber ideapad 3-15IILO5
    my lenovo not turn on how to upgrade or flash the bios
    does not start on any system crashes on the lenovo logo even with live systems on a usb key I have already set the default bios settings remove and put back the RAM even change ram my lenovo not turn on how to upgrade or flash the bios
    with the boot on a key one for example is this possible

  5. John said on April 21, 2022 at 5:50 pm
    Reply

    All I wanted was the ability to physically write-protect the firmware on my motherboard in order to prevent it from being replaced by an attacker in the event that I happen to run a malicious program. Instead, the industry has made the boot process so overly complicated that you can now play Doom right in UEFI without even loading an OS.

    https://doomwiki.org/wiki/Doom_UEFI

    It’s like, I ask for a door lock that actually works, and in response, they just make a more complicated door that still can’t be locked correctly.

  6. dungeon master said on April 22, 2022 at 3:41 am
    Reply

    Martin,

    Thanks for posting this incredibly useful and informative story.

  7. James said on May 19, 2022 at 2:11 am
    Reply

    Is this why I have a trolley full of Lenovo laptops that just constantly restart pending a firmware update that never installs?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.