[Editor's Note: This article was updated on 4/20/2022 at 12:28pmET with comments from Lenovo]
More than 100 different Lenovo consumer laptop computers, used by millions of people worldwide, contain firmware-level vulnerabilities that give attackers a way to drop malware that can persist on a system even after a hard-drive replacement or operating system re-install.
Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) involve Unified Extensible Firmware Interface (UEFI) drivers that were meant for use only during the manufacturing process but inadvertently ended up being part of the BIOS image that shipped with the computers. The third (CVE-2021-3970) is a memory corruption bug in a function for detecting and logging system errors.
ESET discovered the vulnerabilities and reported them to Lenovo in October 2021. The hardware maker this week released BIOS updates addressing the flaws in all impacted models. However, users will have to install the updates manually unless they have Lenovo's automated tools to assist with the update.
UEFI firmware ensures system security and integrity when a computer is booting up. The firmware contains information that the computer implicitly trusts and uses while it boots up. So, any malicious code embedded in the firmware would execute before the computer even boots up and before security tools have had a chance to inspect the system for potential threats and vulnerabilities.
In recent years, a handful of malware tools have emerged that were designed to modify UEFI firmware to install malware during the supposedly secure boot-up process. One example is LoJax, a highly persistent firmware-level rootkit that ESET and others observed being deployed as part of a broader malware campaign by Russia's Sednit group. Another example is MoonBounce, a firmware level malware dropper that researchers from Kaspersky recently observed being used as part of a cyber espionage campaign.
Martin Smolár, malware analyst at ESET, says the two Lenovo drivers that were mistakenly included in the production BIOS without being properly deactivated give attackers a way to deploy similar malware on vulnerable Lenovo consumer devices.
"Exploitation of these vulnerabilities would allow attackers to directly disable crucial system security protections," Smolár says. Attackers with privileged access on a vulnerable system can simply activate the old firmware drivers and use them to turn off protections such as BIOS control register bits, protected range registers, and UEFI Secure Boot that prevent privileged users from making changes to system firmware. As a result, exploitation of these vulnerabilities would allow attackers to flash or modify firmware and execute malicious code, he says.
Meanwhile, CVE-2021-3970, the third vulnerability that ESET researchers discovered, allows arbitrary reads and writes from and into System Management RAM (SM RAM) — or memory that stores code with system management privileges. This gives attackers an opportunity to execute code with system management privileges on vulnerable systems, ESET said.
In an emailed statement, Lenovo thanked ESET for alerting the company about the vulnerabilities. "The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected," the statement said. "Lenovo welcomes collaboration with BIOS researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards."
The company's advisory described the flaws as being of medium severity and enabling privilege escalation for attackers that exploited them. The company said CVE-2021-3970 resulted from insufficient validation in some Lenovo models. Lenovo attributed the other two vulnerabilities to its failure to deactivate and remove drivers that were used in older manufacturing processes.
The advisory also includes instructions on where users with impacted devices can find the appropriate BIOS update and how they should install it.