Lenovo says it has fixed two major vulnerabilities that plague many of its ThinkBook laptops, the IdeaPad and Yoga, and is now urging users to apply the fix as soon as possible.
Due to human error, the issues mean that a cybercriminal could potentially disable the UEFI Secure Boot utility, allowing them to load and execute malicious code during the computer’s boot process (before the operating system boots).
Loading malware before the operating system renders most antivirus solutions useless and makes malware immune even to reinstalling the operating system.
A mistake, not a mistake
ESET researchers discovered that Lenovo had mistakenly included an early development driver that contained these flaws and enabled the attacks – so it’s not exactly a code bug, but rather a human error.
“Affected drivers were intended to be used only during the production process, but were mistakenly included in production,” ESET explained in Twitter thread (opens in a new tab).
To exploit the vulnerabilities, cybercriminals would have to build a special NVRAM, further supporting ESET’s conclusion that UEFI firmware developers should not use NVRAM as trusted storage.
The two vulnerabilities in question are tracked as CVE-2022-3430 and CVE-2022-3431. The media also mentioned a third similar vulnerability, tracked as CVE-2022-3432, but this only affects one Lenovo model – the Ideapad Y700-14ISK. Given that this device has already reached its end-of-life, Lenovo has said that it will not release a fix.
Those who believe they are vulnerable to the above-mentioned defects should go to Lenovo’s security bulletin and see if their model is listed. Firmware releases that fix these flaws are listed under the CVE IDs.
This is not the first time Lenovo users have had to update their firmware to protect against boot interception.
In July 2021, three major vulnerabilities were discovered and patched in multiple Lenovo laptops. Even then, ESET researchers discovered a problem in the ReadyBootDxe driver used by some Lenovo notebooks, as well as two buffer overflow issues found in the SystemLoadDefaultDxe driver, potentially allowing cybercriminals to hijack the Windows installation boot routine.
This applies to all lines of Lenovo Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540 and S940, counting over 70 models of end devices.
The vulnerabilities were tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892.
By: Beeping Computer (opens in a new tab)