More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure boot process and then run unsigned UEFI apps or load bootloaders that permanently open a device through a backdoor, researchers warned Wednesday.
At the same time that researchers from the security company ESET announced the vulnerabilitiesthe notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims and IdeaPads. Vulnerabilities that subvert UEFI Secure Boot can be serious because they allow attackers to install malicious firmware that survives multiple operating system reinstallations.
Not common, even rare
UEFI, short for Unified Extensible Firmware Interface, is the software that connects a computer’s device firmware to its operating system. As the first piece of code to execute when virtually every modern machine is powered on, it is the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the operating system do not have significant effects because the UEFI infection simply re-infects the computer afterwards.
ESET said the vulnerabilities – traced as CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432 – “allow disabling UEFI Secure Boot or restoring the factory default Secure Boot databases (incl. dbx ): all easily from one operating system .” Secure Boot uses databases to allow and deny mechanisms. In particular, the DBX database stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases allows an attacker to remove restrictions that would normally be in place.
“Changes in operating system firmware are not common, even rare,” said a researcher specializing in firmware security, who preferred not to be named, in an interview. “Most people think that to change settings in firmware or BIOS you need physical access to press the DEL key at boot to enter setup and do things there. If you can do some of the things from the operating system, that’s a big deal.”
Disabling UEFI Secure Boot gives attackers the ability to run malicious UEFI apps, which is typically not possible because Secure Boot requires UEFI apps to be cryptographically signed. Restoring the factory default DBX allows attackers to load vulnerable bootloaders. In August, researchers from the security company Eclipsium identified three prominent software drivers This could be used to bypass secure boot if an attacker has elevated privileges i.e. administrator on Windows or root on Linux.
The vulnerabilities can be exploited by manipulating variables in NVRAM, the non-volatile RAM that stores various boot options. The vulnerabilities stem from Lenovo mistakenly shipping notebooks with drivers that were only intended for use during the manufacturing process. The weak points are:
- CVE-2022-3430: A potential vulnerability in the WMI setup driver on some Lenovo notebook consumer devices could allow an elevated attacker to change secure boot settings by modifying an NVRAM variable.
- CVE-2022-3431: A potential vulnerability in a driver used on some Lenovo consumer notebook computers during the manufacturing process, which was incorrectly not disabled, could allow an elevated attacker to gain secure boot settings by modifying an NVRAM variable change.
- CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the Ideapad Y700-14ISK that was mistakenly not disabled could allow an elevated attacker to compromise the secure boot setting by customizing an NVRAM change variable.
Lenovo only patches the first two. CVE-2022-3432 is not patched because the company no longer supports the affected end-of-life Ideapad Y700-14ISK notebook model. People using any of the other vulnerable models should install patches as soon as possible.