Researchers warned Wednesday that more than two dozen Lenovo laptop models are vulnerable to malicious hacks that disable the UEFI secure boot process and then run unsigned UEFI applications or permanently mount a bootloader that compromises the device.
At the same time, security institute ESET researcher Dr Identify weaknessesLaptop manufacturer Release security updates 25 models including ThinkPads, Yoga Slims and IdeaPads. Vulnerabilities that defeat UEFI Secure Boot can be dangerous because they allow attackers to install malicious firmware that survives multiple operating system reinstallations.
Not common, but rare
UEFI, short for Unified Extensible Firmware Interface, is software that connects a computer’s firmware to its operating system. As the first piece of code that runs when you turn on nearly every modern device, it’s the first link in the security chain. Since UEFI resides on a flash chip on the motherboard, it is difficult to detect and remove infections. Simple actions such as erasing the hard drive and reinstalling the operating system have no significant effect because the UEFI infection re-infects the computer.
ESET said the vulnerabilities – identified as CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432 – “allow disabling UEFI Secure Boot or restoring the factory default Secure Boot database (only one from a dbx system (including the operating system).” Secure Boot uses databases to allow and deny methods. In particular, a DBX database stores cryptographic hashes of rejected keys. Disabling or restoring default values in the database allows an attacker to remove restrictions that would normally be in effect.
“It’s not common to change things from the operating system to the firmware, it’s rather rare,” a researcher specializing in firmware security, who spoke on condition of anonymity, said in an interview. “Most people think that to change settings in the firmware or BIOS you need physical access to go into setup and press the DEL key at boot to do things there. If you can do things from the operating system, that’s great.”
Disabling UEFI Secure Boot allows attackers to run malicious UEFI applications, which is not normally possible since Secure Boot requires cryptographic signatures of UEFI applications. Meanwhile, restoring DBX to factory defaults allows attackers to load a vulnerable bootloader. In August, researchers from security firm Eclipsium I have identified three prominent drivers If an attacker has advanced privileges, they can be used to bypass Secure Boot, such as b. Admin on Windows or root on Linux.
The vulnerabilities can be exploited by manipulating variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities are caused by Lenovo accidentally shipping laptops with drivers designed only for use during the manufacturing process. Weaknesses are:
- CVE-2022-3430: A potential vulnerability in the WMI setup driver in some Lenovo consumer notebooks could allow an advanced attacker to modify Secure Boot settings by modifying NVRAM variables.
- CVE-2022-3431: A potential vulnerability in a driver used in some Lenovo consumer notebook computers during the manufacturing process that was inadvertently disabled could allow an advanced attacker to modify the Secure Boot setting by modifying NVRAM variables.
- CVE-2022-3432: A potential vulnerability in an Ideapad Y700-14ISK driver used during the manufacturing process that was inadvertently disabled could allow an advanced attacker to compromise Secure Boot settings by setting NVRAM modification variables.
Lenovo fixes only the first two. CVE-2022-3432 will not be patched because the company no longer supports the affected Ideapad Y700-14ISK laptop model. People using any other vulnerable models should install the patches as soon as possible.