Lenovo has fixed two critical vulnerabilities affecting various laptop models that could allow attackers to disable UEFI Secure Boot.
Lenovo has released security updates to address several critical vulnerabilities affecting various ThinkBook, IdeaPad and Yoga laptop models. An attacker could exploit these vulnerabilities to disable UEFI Secure Boot.
Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with bootloaders, critical operating system files, and unauthorized option ROMs by verifying their digital signatures. “The detection is blocked from running until it attacks or infects the system specification.”
An attacker who is able to bypass Secure Boot can bypass any security measures running on the machine and achieve persistence, even across reinstalls of the operating system.
The root cause of these flaws is the use of vulnerable drivers in the manufacturing process for some Lenovo devices that were erroneously not deactivated.
The following are the vulnerabilities reported in Lenovo notebook BIOS.
- CVE-2022-3430: A potential vulnerability exists in the WMI settings driver on some consumer Lenovo notebook devices that could allow an attacker with elevated privileges to modify Secure Boot settings by modifying NVRAM variables.
- CVE-2022-3431: A potential vulnerability in the driver used in the manufacturing process of some consumer Lenovo notebook devices was erroneously not disabled, potentially allowing an attacker with elevated privileges to modify Secure Boot settings by modifying NVRAM variables.
- CVE-2022-3432: A potential vulnerability exists in the driver used in the manufacturing process of the Ideapad Y700-14ISK that was erroneously not disabled, which could allow an attacker with elevated privileges to modify Secure Boot settings by modifying NVRAM variables.
ESET’s Martin Smolár reported the vulnerabilities to the vendor.
“While disabling UEFI Secure Boot allows direct execution of unsigned UEFI applications, restoring the factory default dbx allows the use of known vulnerable bootloaders (for example, #CVE-2022-34301 Discoverer @eclypsium) to bypass Secure Boot while remaining enabled. ” read one of the tweets Published by ESET.
Experts point out that an attacker could trigger the vulnerability by simply creating a special NVRAM variable.researcher Nikolai Shrey recent post Good explanation of why and how firmware developers avoid storing security-sensitive components in NVRAM variables:
Owners of affected devices are strongly advised to update to the latest firmware version. Visit Lenovo Consulting to determine if a device is affected by these vulnerabilities and receive firmware update instructions.
The firmware version that fixes the vulnerability is mentioned under the CVE ID, so make sure to upgrade to that or later.
For official Lenovo software, check this online support portal or run the update tool preinstalled on your computer.
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – hack, secure boot)