Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?

Enlarge / This is the 14-inch variant of the Yoga Slim 9i, with leather finish.

Lenovo

Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.

Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.

Oh, no

Two of the vulnerabilities—tracked as CVE-2021-3971 and CVE-2021-3972—reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorized changes to the firmware it runs.

After discovering and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management.

“Based on the description, those are all pretty ‘oh no’ sorts of attacks for sufficiently advanced attackers,” Trammel Hudson, a security researcher specializing in firmware hacks, told Ars. “Bypassing SPI flash permissions is pretty bad.”

He said the severity may be lessened by protections such as BootGuard, which is designed to prevent unauthorized people from running malicious firmware during the boot process. Then again, researchers in the past have uncovered critical vulnerabilities that subvert BootGuard. They include a trio of flaws discovered by Hudson in 2020 that prevented the protection from working when a computer came out of sleep mode.

Creeping into the mainstream

While still rare, so-called SPI implants are growing more common. One of the Internet’s biggest threats—a piece of malware known as Trickbot—in 2020 began incorporating a driver into its code base that allows people to write firmware into virtually any device.
The only two other documented cases of malicious UEFI firmware being used in the wild are LoJax, which was written by the Russian state hacker group known under multiple names, including Sednit, Fancy Bear, or APT 28. The second instance was UEFI malware that security firm Kaspersky discovered on diplomatic figures’ computers in Asia.

All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.

Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes well beyond what’s normally possible with more conventional malware. Lenovo has a list here of more than 100 models that are affected.