More than two dozen Lenovo laptop models are vulnerable to malicious hacks that disable the UEFI Secure Boot process and then run unsigned UEFI applications or load boot loaders that permanently hijack a device, researchers warned Wednesday. .
At the same time that researchers from the security firm ESET revealed vulnerabilitiesthe notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims and IdeaPads. Vulnerabilities that compromise UEFI Secure Boot can be serious because they allow attackers to install malicious firmware that survives multiple OS reinstallations.
Not common, even rare
Short for Unified Extensible Firmware Interface, UEFI is the software that links a computer’s device firmware to its operating system. As the first piece of code to run when virtually any modern machine is turned on, it’s the first link in the security chain. Since UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the operating system have no significant impact as the UEFI infection will simply re-infect the computer afterwards.
ESET said the vulnerabilities – tracked as CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432 – “allow UEFI Secure Boot to be disabled or restore default Secure Boot databases (including dbx) : simply from an operating system.” Secure Boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases allows an attacker remove the restrictions that would normally be in place.
“Changing things in operating system firmware is not common, if not rare,” a firmware security researcher, who preferred not to be named, said in an interview. “Most people mean that to change firmware or BIOS settings you need to have physical access to mash the LED button on boot to get into setup and do things there. When you can do some of the things at from the operating system, this is a big problem.
Disabling UEFI Secure Boot allows attackers to run malicious UEFI applications, which is normally not possible because Secure Boot requires UEFI applications to be cryptographically signed. Restoring the default DBX, meanwhile, allows attackers to load vulnerable bootloaders. In August, researchers from the security firm Eclypsium identified three important software drivers which could be used to bypass Secure Boot when an attacker has elevated privileges, i.e. administrator on Windows or root on Linux.
The vulnerabilities can be exploited by altering variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities result from Lenovo mistakenly shipping laptops with drivers intended for use only during the manufacturing process. The vulnerabilities are:
- CVE-2022-3430: A potential vulnerability in the WMI configuration driver on certain consumer Lenovo laptops may allow an elevated-privileged attacker to modify Secure Boot settings by modifying an NVRAM variable.
- CVE-2022-3431: Potential vulnerability in a driver used during the manufacturing process on certain consumer Lenovo laptops that was not mistakenly disabled could allow an elevated attacker to modify the Secure Boot setting by modifying an NVRAM variable.
- CVE-2022-3432: Potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was not mistakenly disabled could allow an elevated attacker to modify the secure boot setting by adjusting an NVRAM variable.
Lenovo only patches the first two. CVE-2022-3432 will not be fixed because the company no longer supports the Ideapad Y700-14ISK, the affected end-of-life laptop model. People using any of the other vulnerable models should install the patches as soon as possible.