More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure boot process, then run unsigned UEFI applications or load persistent bootloaders using a device, the researchers warned on Wednesday.
At the same time researchers from the security firm ESET vulnerabilities were disclosed, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that compromise the UEFI security boot are particularly dangerous because attackers can install a malicious machine that survives multiple operating system installations.
It’s not common, even rare
UEFI is the software that connects the computer hardware and its operating system. Since it’s the first piece of code that runs when new machines are turned on, it’s the first link in the security chain. Because UEFI resides in the flash chip on the motherboard, it’s difficult to detect and remove bugs. Typical methods such as erasing the hard drive and reinstalling the OS have no beneficial effect because the UEFI virus infects the computer later.
ESET said the vulnerabilities—named CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432—“allow disabling UEFI Secure Boot or restoring to factory defaults in Secure Boot databases (including dbx): from normal OS. .” Security boot uses databases to approve and deny procedures. The DBX database, in fact, stores the cryptographic hashes of the denied keys. Deleting or restoring the default values in the databases allows an attacker to remove the restrictions that remain in place.
“Changing things in the firmware from the OS is not common, although it is rare,” a researcher familiar with firmware security, who preferred not to be named, said at in the interview. “Most people say that to change settings in the firmware or BIOS you have to physically press the DEL button when it’s about to enter the setup and work there. You can do some things from the OS, that’s a big feature.
Disabling UEFI Secure Boot allows attackers to run malicious UEFI apps, which is impossible because UEFI applications must be signed when booting. Restoring the factory-default DBX, meanwhile, allows hackers to load vulnerable drivers. In August, researchers from security firm Eclypsium discovered that three popular software drivers can be used to bypass the security battle when an attacker elevates privileges, meaning an administrator on on Windows or root on Linux.
Vulnerabilities can be exploited by manipulating variables in NVRAM, the non-volatile RAM that holds various boot options. The vulnerabilities are the result of Lenovo mistakenly releasing Notebooks with drivers intended for use during the manufacturing process. Vulnerabilities include:
- CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices could allow an attacker with elevated privileges to modify secure boot settings by changing the NVRAM variable.
- CVE-2022-3431: A potential vulnerability in a driver used during installation on some consumer Lenovo Notebook devices was mistakenly not disabled, which could allow an attacker with elevated privileges to modify secure boot setting by changing the NVRAM variable.
- CVE-2022-3432: Potential vulnerability in a driver used during the build process on an Ideapad Y700-14ISK that was mistakenly not disabled could allow an attacker with elevated privileges to modify secure boot setting by editing the NVRAM variable.
Lenovo is patching the first two. CVE-2022-3432 will not be patched because the company no longer supports the Ideapad Y700-14ISK, the affected end-of-life notebook model. People using other vulnerable models should install patches when necessary.
Go to discussion…