Researchers warned Wednesday that more than two dozen Lenovo laptop models are vulnerable to malicious hacks that disable the UEFI secure boot process and then run unsigned UEFI applications or permanently load bootloaders that run behind the device.
At the same time researchers from the security company ESET Archeology revealedlaptop maker Security updates released For 25 models including ThinkPads, Yoga Slims and IdeaPads. Vulnerabilities that undermine UEFI Secure Boot can be dangerous because they allow attackers to create malicious firmware that can withstand multiple OS reinstalls.
Not common, but rare
Short for Unified Extensible Firmware Interface, UEFI is a program that links a computer’s firmware to its operating system. When operating any modern machine, it is the first link in the safety chain. Since UEFI is located on the flash chip on the motherboard, it is difficult to detect and remove the infection. Routine actions such as wiping the hard drive and reinstalling the operating system will not have an appreciable effect, because a UEFI infection will later re-infect the system.
Vulnerabilities, which ESET tracks like CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, “allow UEFI to disable Secure Boot or restore factory default Secure Boot databases: from dbx to all.” Secure boot mechanisms allow and deny databases. uses. The DBX database, in particular, stores the cryptographic hash of the rejected keys. Disabling or resetting default values in databases enables an attacker to remove controls that are normally present.
“Changing things from the operating system to the firmware is not common, but rather rare,” a researcher specializing in firmware security, who asked not to be named, said in an interview. “For most people, to change settings in the firmware or BIOS, that means you have to have physical access to break the DEL button on boot to get into the system and do things there. When you can do certain things from the operating system, that’s a big deal.
Disabling UEFI Secure Boot frees attackers from executing malicious UEFI applications, which is usually impossible because UEFI applications must be cryptographically signed for secure boot. Meanwhile, restoring the factory default DBX allows attackers to load a vulnerable bootloader. In August, researchers from the security company Eclypsium I identified three main drivers This can be used to bypass secure boot when an attacker has elevated privileges, such as admin on Windows or root on Linux.
The vulnerabilities can be exploited by tampering with variables in non-volatile random access memory, NVRAM, which stores various boot options. The vulnerabilities are caused by Lenovo accidentally shipping laptops with drivers that are only used during the manufacturing process. Effects:
- CVE-2022-3430: A vulnerability in the WMI Setup driver on some consumer Lenovo laptops could allow a highly privileged attacker to modify Secure Boot settings by changing the NVRAM variable.
- CVE-2022-3431: A potential driver vulnerability used during the manufacturing process on some Lenovo laptops that does not default to default could allow an elevated-privileged attacker to modify the secure boot system by changing the NVRAM variable.
- CVE-2022-3432: A potential vulnerability in a driver used during production on the IdeaPad Y700-14ISK that was not accidentally disabled could allow an attacker with elevated privileges to modify the secure boot system by modifying the NVRAM variable.
Lenovo combines only the first two. CVE-2022-3432 will not be patched because the company no longer supports the Ideapad Y700-14ISK, the affected end-of-life laptop model. People using other vulnerable models should install patches ASAP.