UEFI Firmware Driver bugs affect over 100 Lenovo laptop Models (22nd April 2022)

Ref# AL2022_25 | Date: Apr 22nd 2022

Description  

Three high-impact UEFI security vulnerabilities have been discovered in multiple Lenovo consumer laptop models, allowing malicious actors to deploy and execute firmware implants on the afflicted devices. 

Summary  

The CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 vulnerabilities concern firmware drivers that were intended to be utilized solely during the manufacturing of Lenovo consumer notebooks, but they were mistakenly included also in the production BIOS images without being properly deactivated. 

How it Works 

The first of the three vulnerabilities could allow a local attacker to run arbitrary code with elevated privileges, while the others could allow an attacker to disable the protection for the SPI flash memory chip where the UEFI firmware is stored, as well as turn off the UEFI Secure Boot feature, which ensures that the system only loads code trusted by the Original Equipment Manufacturer at boot time (OEM). Due to these vulnerabilities an attacker will have the ability to effectively install persistent malware that can survive system reboots. 

To see a list of products affected by these vulnerabilities you can follow this URL: 

https://support.lenovo.com/gy/en/product_security/len-73440#Lenovo%20Notebook  

Remediation 

In order to mitigate these vulnerabilities users are asked to update their firmware at the following link:  

https://support.lenovo.com/gy/en/product_security/len-73440  

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary. 

PDF Download: Lenovo UEFI Firmware Driver bugs.pdf

References