Three firmware bugs were found in Lenovo devices, which the tech firm immediately patched after discovering that they could be exploited for Unified Extensible Firmware Interface (UEFI) attacks.
The vulnerabilities were assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 and used for deploying and executing UEFI malware through SPI flash implants or ESP implants inside Lenovo Notebook BIOS.
For the UEFI attacks, threat actors begin by loading their malicious activities on a targeted device during the early stage of its boot process.
This process is done so the injected malware can interfere with configuration data, establish persistence in the device, and bypass security defences launched during the early OS stage.
Security experts disclosed that the bugs had affected over a hundred assorted consumer laptop models globally used by millions of users. The flaws also appeared due to the affected devices’ drivers only intended for the product development stage of Lenovo.
The flaw’s impacted products include IdeaPads, Yoga and Flex laptops, and Legion gaming gadgets.
The CVE-2021-3970 flaw impacts the SW SMI (software System Management Interrupt) handler function, which allows the threat actors to access SMRAM and allow malicious code with SMM privileges to launch alongside the deployment of SPI flash implants.
The first security flaw is also described as a vulnerability caused during the older manufacturing processes of consumer Lenovo devices that were mistakenly included in the BIOS image, allowing threat actors with advanced privileges to modify the firmware protection region.
Meanwhile, the other two security flaws are associated with SecureBackDoor and SecureBackDoorPeim drivers, having similar descriptions to the first one that allowed hackers to gain access and execute malicious activities.
If a hacker has an advanced privilege level, it can abuse CVE-2021-3971 and change UEFI firmware settings, and CVE-2021-3972 needs to tamper with NVRAM variables to deploy the malicious payloads.
The tech firm released a public advisory, warning users to patch their Lenovo firmware as soon as possible. Lenovo also added alternative mitigation options in the advisory for users who cannot patch their devices yet.