Lenovo Addresses Critical UEFI Firmware Vulnerabilities Affecting Various Devices
Lenovo has identified and addressed three significant vulnerabilities within the Unified Extensible Firmware Interface (UEFI) firmware that impact numerous Yoga, IdeaPad, and ThinkBook devices. These shortcomings could allow an adversary to disable UEFI Secure Boot or reset factory default Secure Boot databases solely from an operating system, a revelation brought to light by the Slovak cybersecurity firm ESET through a series of tweets.
The UEFI serves as the interface between the operating system and the device’s hardware firmware, playing a critical role in the booting process. Its importance makes it a prime target for cybercriminals seeking to deploy hard-to-detect malware. The vulnerabilities, tagged as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, represent a potential risk for unauthorized disabling of Secure Boot, a security feature designed to block malicious programs during system initialization.
ESET elaborated on the vulnerabilities, indicating they stem not from lapses in source code but from drivers meant exclusively for manufacturing that were inadvertently retained in production builds. The vulnerabilities hinge on an attacker gaining elevated privileges, potentially modifying Secure Boot settings by altering NVRAM variables, exposing affected systems to severe risks.
Each specific vulnerability has distinct implications. CVE-2022-3430 pertains to a flaw in the WMI Setup driver that could allow secure boot modifications. CVE-2022-3431 and CVE-2022-3432 both relate to drivers used during manufacturing processes that were mistakenly left operational in consumer devices, enabling the alteration of critical security settings.
Although Lenovo has acted to mitigate these vulnerabilities, they underscore a pressing security concern. Disabling UEFI Secure Boot could enable attackers to deploy rogue boot loaders, allowing them to execute arbitrary code on compromised systems and gain unauthorized access.
This marks the third instance in which Lenovo has patched UEFI firmware vulnerabilities since the beginning of the year, all of which were discovered and reported by ESET researcher Martin Smolár. Previous issues included risks that would have potentially allowed attackers to implant firmware attacks on affected devices, escalating the severity of the threat landscape.
Notably, Lenovo has announced it will not issue fixes for CVE-2022-3432 due to the affected model reaching its end-of-life. Users of other impacted devices are advised to update to the latest firmware to mitigate risks.
As these vulnerabilities have emerged, they highlight potential tactics and techniques utilized by adversaries, aligning with the MITRE ATT&CK framework, specifically in the areas of persistence and privilege escalation. As businesses continue to navigate an increasingly complex cybersecurity landscape, remaining vigilant and proactive in patch management is more crucial than ever.