Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?

Lenovo has introduced stability updates for extra than 100 laptop models to correct important vulnerabilities that make it feasible for sophisticated hackers to surreptitiously set up malicious firmware that can be future to unattainable to clear away or, in some situations, to detect.

Three vulnerabilities influencing additional than 1 million laptops can give hackers the capacity to modify a computer’s UEFI. Brief for Unified Extensible Firmware Interface, the UEFI is the software package that bridges a computer’s machine firmware with its working system. As the 1st piece of computer software to run when practically any present day machine is turned on, it is the first url in the protection chain. Due to the fact the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even tougher to take away.

Oh, no

Two of the vulnerabilities—tracked as CVE-2021-3971 and CVE-2021-3972—reside in UEFI firmware drivers meant for use only throughout the manufacturing system of Lenovo purchaser notebooks. Lenovo engineers inadvertently included the motorists in the output BIOS visuals without having staying adequately deactivated. Hackers can exploit these buggy drivers to disable protections, like UEFI protected boot, BIOS manage sign-up bits, and guarded range register, which are baked into the serial peripheral interface (SPI) and intended to protect against unauthorized improvements to the firmware it operates.

Right after exploring and analyzing the vulnerabilities, scientists from stability organization ESET discovered a 3rd vulnerability, CVE-2021-3970. It makes it possible for hackers to operate malicious firmware when a machine is set into technique administration method, a high-privilege functioning mode usually utilized by components manufacturers for reduced-degree system administration.

“Based on the description, people are all very ‘oh no’ kinds of attacks for adequately superior attackers,” Trammel Hudson, a protection researcher specializing in firmware hacks, informed Ars. “Bypassing SPI flash permissions is rather negative.”

He explained the severity might be lessened by protections this sort of as BootGuard, which is designed to protect against unauthorized individuals from operating malicious firmware in the course of the boot process. Then once more, scientists in the previous have uncovered critical vulnerabilities that subvert BootGuard. They include a trio of flaws identified by Hudson in 2020 that prevented the security from operating when a computer arrived out of sleep mode.

Creeping into the mainstream

When still exceptional, so-named SPI implants are rising a lot more common. A single of the Internet’s greatest threats—a piece of malware acknowledged as Trickbot—in 2020 started incorporating a driver into its code foundation that will allow men and women to publish firmware into virtually any machine.
The only two other documented situations of destructive UEFI firmware staying applied in the wild are LoJax, which was composed by the Russian state hacker team recognized beneath many names, like Sednit, Fancy Bear, or APT 28. The next occasion was UEFI malware that stability firm Kaspersky discovered on diplomatic figures’ pcs in Asia.

All three of the Lenovo vulnerabilities identified by ESET have to have area accessibility, indicating that the attacker have to by now have manage around the susceptible device with unfettered privileges. The bar for that kind of obtain is large and would most likely require exploiting one or much more important other vulnerabilities elsewhere that would presently set a person at substantial risk.

Nevertheless, the vulnerabilities are really serious since they can infect susceptible laptops with malware that goes well over and above what’s usually feasible with a lot more standard malware. Lenovo has a record in this article of far more than 100 types that are influenced.