News

More than 100 Lenovo laptops are affected by UEFI vulnerabilities

Photo of Benjamin Rosa Benjamin Rosa Send an email 20 April 2022
0 722 2 reading minutes
Laptop LENOVO IDEAPAD 3 15IIL05 general image open laptop

Lenovo's support division has published an advisory warning of three new vulnerabilities affecting its laptops. All of them could allow an attacker to gain administrator privileges. More than 100 models of lenovo laptops are affected by these vulnerabilities, which ESET researchers recently discovered.

Lenovo states that it has system firmware updates ready or on the way to mitigate these new security issues. The manufacturer shared the three CVE identifier codes and their descriptions, establishing the potential for damage if the patch is not applied.

Three new UEFI vulnerabilities for Lenovo laptops

The three errors with their descriptions are as follows:

  • CVE-2021-3970: A potential vulnerability in the LenovoVariable SMI Handler due to insufficient validation may allow an attacker with local access and elevated privileges to execute arbitrary code.
  • CVE-2021-3971: A potential vulnerability for a driver used during legacy manufacturing processes that was mistakenly included in the BIOS image could allow an elevated attacker to modify the firmware protection region by modifying an NVRAM variable.
  • CVE-2021-3972: A potential vulnerability in a driver used during the manufacturing process that was not inadvertently disabled could allow an elevated attacker to modify the Secure Boot configuration by modifying an NVRAM variable.
Laptop LENOVO IDEAPAD 3 15IIL05 freedos

The new bugs could allow arbitrary reading and writing to or from SMRAM, which can lead to the execution of malicious code, at a highly privileged level. An attacker could directly disable the UEFI flash memory protections or the UEFI Secure Boot feature. They could also then successfully deploy and execute or implant malware, which hard to detect and remove, since it can be loaded before the operating system.

ESET discovered the trio of vulnerabilities last October, and Lenovo confirmed the flaws and assigned the CVEs in November. They have firmware patches available for many of the affected laptop models in development. But some affected laptops will not receive the patch, as the device is too old and has reached End of Development Support.

After all this, it only remains to wait for Lenovo to publish the official patches to update the security of the affected laptops that can receive the update. Until then, we will have to be vigilant against possible malicious software attacks.

Source: Tom's Hardware

Photo of Benjamin Rosa Benjamin Rosa Send an email 20 April 2022
0 722 2 reading minutes
Show more
Photo of Benjamin Rosa

Benjamin Rosa

Madrileño whose publishing career began in 2009. I love investigating curiosities that I later bring to you, readers, in articles. I studied photography, a skill that I use to create humorous photomontages.

Related publications

wikipedia wikimedia foundations charge companies

Wikipedia will start charging large companies to use its API

18 March, 2021
huawei mate 10 pro

The Huawei Mate 10 Pro impresses in terms of design, in the latest leaked image

October 2, 2017
chinese nokia

Unknown Nokia X smartphone announced in China

16 April 2018
intel skylake x kaby lake x

Intel to launch XNUMX-core, XNUMX-thread Skylake-X processor

28 February, 2017

Leave your comment

Your email address will not be published. Required fields are marked with *

Button back to top
CLOSE

Ad blocker detected

This site is funded through the use of advertising. We always make sure that the advertising is not too intrusive for the reader and we prioritize the reader's experience on the website. However, if you block the ads, part of our funding will be reduced.