Security researchers discovered a software vulnerability affecting UEFI drivers used by Lenovo and HP laptops, and in firmware that runs on Gigabyte motherboards.
Independent security researcher Dymtro Oleksiuk initially found the vulnerability affecting Lenovo's System Management Mode (SMM).
Exploitation of the flaw, dubbed “ThinkPwn,” could allow a local attacker with administrative access to bypass or disable firmware, including flash write protection, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise, and the UEFI Secure Boot software that prevents unauthorized software from loading during the startup process.
The exploits demonstrate the reasons that the information security industry has “worked so hard to implement trust and verification in the boot and firmware process,” wrote Kevin Bocek, Venafi's VP of security strategy and threat intelligence, in an email to SCMagazine.com. A vulnerability that could lead to an ability to disable the cryptographic authentication of the boot process is “distressing,” he noted. “We need to urgently make sure that cryptographic boot and firmware protection is safe and can't be circumvented. Intel, mobile and IOT systems all rely upon cryptographic signing of firmware to protect against malicious code.”
Fidelis Cybersecurity manager of threat systems John Bambenick said exploitation of the vulnerability would be a lucrative target, though he told SCMagazine.com, “I don't think there will widespread criminal campaigns exploiting this vulnerability. It is not technically simple to implement the exploit.”
Oleksiuk, however, was inclined to disagree. In an email to SCMagazine.com, he noted that it would be “relatively easy” to exploit the vulnerability. It would be less complex to implement the ThinkPwn vulnerability than to implement a local privileges escalation vulnerability in Windows or Linux kernel, he added.
The flaw is “incredibly severe,” according to Cybereason co-founder and CTO Yonatan Striem-Amit. It highlights the industry truism that “as software complexity grows, so does the security risk,” he wrote, in an email to SCMagazine.com. The exploit will mature and become part of attackers' toolkit, Striem-Amit warned.
Lenovo announced last week that the vulnerable code was provided to the PC manufacturer by “at least one of our Independent BIOS Vendors.”
In a security alert, the Beijing-based PC manufacturer stated that it “currently works with the industry's three largest IBVs,” which led other researchers to look for the vulnerability in other products. Security researcher Alex James discovered that the flaw also affects HP laptops and firmware that makes use of Gigabyte motherboards.
“It's very unlikely that we will see the whole list of vulnerable hardware in a close future,” Oleksiuk wrote to SCMagazine.com.
Lenovo has gained a storied reputation in the industry and attracted unwanted attention from security researchers, following a series of embarrassing security flaws. Researchers detected Lenovo's startpage redirected visitors to a page that loaded the Angler exploit kit in March. Earlier this year, in January, Lenovo patched flaws affecting its SHAREit app that allowed remote system access and unauthorized access of transferred files. Last year, it was discovered that Lenovo laptops automatically re-installed firmware containing vulnerabilities, even after the software had been removed by users.