Hackers were able to infect non-portable malware on 100 Lenovo models. Can you patch?
Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that allow advanced hackers to stealthily install malware that may be nearly impossible to remove or in some cases, undetectable.
Three vulnerabilities affecting more than 1 million laptops could give hackers the ability to modify a computer’s UEFI. Stands for Unified Extensible Firmware Interface, UEFI is software that bridges a computer’s device firmware with its operating system. As the first piece of software that runs when virtually any modern machine is turned on, it is the initial link in the security chain. Because UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.
Two of the vulnerabilities — tracked as CVE-2021-3971 and CVE-2021-3972 — reside in a UEFI firmware driver used only in the production of Lenovo consumer laptops. . Lenovo engineers accidentally included drivers in the production BIOS image that weren’t properly disabled. Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range registers, which are included Serial Peripheral Interface (SPI) and is designed to prevent unauthorized changes to the firmware it runs on.
After detecting and analyzing the vulnerabilities, researchers from security firm ESET found a third vulnerability, CVE-2021-3970. It allows hackers to run malicious firmware when the machine is put into system management mode, a highly privileged operating mode commonly used by hardware manufacturers to manage low-level systems.
Trammel Hudson, a security researcher specializing in firmware hacking, told Ars: “Based on the description, it’s all pretty ‘oh’ attack patterns for advanced enough attackers. “Ignoring SPI flash permission is pretty bad.”
He said the severity could be reduced with protections like BootGuard, which are designed to prevent unauthorized people from running malware during the boot process. Then again, past researchers have discovered critical vulnerabilities that undermine BootGuard. They include a error trio discovered by Hudson in 2020 prevented protection from working when the computer went to sleep.
Sneak into the mainstream
While still rare, so-called SPI implants are becoming more and more common. One of the Internet’s biggest threats — a piece of malware known as Trickbot — in 2020 began incorporating drivers into its codebase that allowed people to burn firmware to virtually any device. The only other two documented cases of malicious UEFI firmware being used spontaneously are LoJaxwritten by a Russian state hacker group known by many names, including Sednit, Fancy Bear or APT 28. The second example is the UEFI malware that the company secures Kaspersky detected on the computers of diplomats in Asia.
All three Lenovo vulnerabilities discovered by ESET require local access, meaning an attacker must have control of the vulnerable machine with unchecked privileges. Restrictions for that type of access are high and will likely require the exploitation of one or more other critical vulnerabilities elsewhere that already expose users to significant risk.
However, these vulnerabilities are serious because they can infect vulnerable laptops with malware far beyond what is normally possible with normal malware. than. Lenovo has a list this of more than 100 affected models.