Endpoint/Device Security, Security Architecture, Vulnerability Management, Security Strategy, Plan, Budget

Vulnerabilities in Lenovo laptops expose millions of users to firmware-level malware

A visitor looks at new laptop computers on display at the Lenovo stand at the 2019 IFA home electronics and appliances trade fair on Sept. 6, 2019, in Berlin. (Photo by Sean Gallup/Getty Images)

Researchers for ESET reported Tuesday discovering at least three vulnerabilities affecting hundreds of Lenovo consumer laptops with millions of users worldwide.

The first two — CVE-2021-3971 and CVE-2021-3972 — affect UEFI firmware drivers meant to be used only during the manufacturing process of consumer notebooks, but were mistakenly included in the production BIOS images, researcher Martin Smolar wrote on ESESt’s security blog. The firmware drivers can be activated by an attacker to directly disable SPI flash protections or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime, which would allow attackers to deploy SPI flash or ESP implants like LoJax or ESPecter.

While investigating the first two vulnerabilities, the researchers discovered a third: an SMM memory corruption inside the SW SMI handler function (CVE-2021-3970). The vulnerability allows arbitrary read/write from /into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant. 

Smoler shared that ESET reported the vulnerabilities to Lenovo in October, and the company confirmed the vulnerabilities in November. Lenovo has a full list of affected models with active development support in an advisory on its website.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.