Researchers find Lenovo UEFI flaw that affects millions

Based on a news report by The Hacker News, there are three high-impact Unified Extensible Firmware Interface (UEFI) security vulnerabilities, CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 that have been identified to be affecting various Lenovo devices such as the Lenovo Flex, IdeaPads and Yoga laptops.

Originally, CVE-2021-3971, and CVE-2021-3972 were meant to be used during the manufacturing process of Lenovo consumer notebooks. However, they were mistakenly left in during the production of BIOS images without being deactivated first.

Attacks could gain access to these devices where they would be able to disable SPI flash protection or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime.

However, on October 11 in  2021, the complaints were lodged to Lenovo, and yesterday they released patches for the security vulnerabilities as highlighted below.

• CVE-2021-3970– A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
• CVE-2021-3971 – A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
• CVE-2021-3972 – A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

It is important to make use of these security patches to avoid being compromised in the future. The threats are initiated early during the boot process before the OS gains control. Therefore, the attackers will able to counter any security measures put in place.