Hackers can infect >100 Lenovo fashions with unremovable malware. Are you patched?

Lenovo has launched safety updates for greater than 100 laptop computer fashions to repair crucial vulnerabilities that make it potential for superior hackers to surreptitiously set up malicious firmware that may be subsequent to inconceivable to take away or, in some instances, to detect.

Three vulnerabilities affecting greater than 1 million laptops can provide hackers the flexibility to switch a pc’s UEFI. Quick for Unified Extensible Firmware Interface, the UEFI is the software program that bridges a pc’s system firmware with its working system. As the primary piece of software program to run when nearly any fashionable machine is turned on, it’s the preliminary hyperlink within the safety chain. As a result of the UEFI resides in a flash chip on the motherboard, infections are troublesome to detect and even more durable to take away.

Oh, no

Two of the vulnerabilities—tracked as CVE-2021-3971 and CVE-2021-3972—reside in UEFI firmware drivers meant to be used solely throughout the manufacturing strategy of Lenovo client notebooks. Lenovo engineers inadvertently included the drivers within the manufacturing BIOS pictures with out being correctly deactivated. Hackers can exploit these buggy drivers to disable protections, together with UEFI safe boot, BIOS management register bits, and guarded vary register, that are baked into the serial peripheral interface (SPI) and designed to forestall unauthorized modifications to the firmware it runs.

After discovering and analyzing the vulnerabilities, researchers from safety agency ESET discovered a 3rd vulnerability, CVE-2021-3970. It permits hackers to run malicious firmware when a machine is put into system administration mode, a high-privilege working mode sometimes utilized by {hardware} producers for low-level system administration.

“Primarily based on the outline, these are all fairly ‘oh no’ types of assaults for sufficiently superior attackers,” Trammel Hudson, a safety researcher specializing in firmware hacks, advised Ars. “Bypassing SPI flash permissions is fairly dangerous.”

He stated the severity could also be lessened by protections akin to BootGuard, which is designed to forestall unauthorized individuals from operating malicious firmware throughout the boot course of. Then once more, researchers up to now have uncovered crucial vulnerabilities that subvert BootGuard. They embody a trio of flaws found by Hudson in 2020 that prevented the safety from working when a pc got here out of sleep mode.

Creeping into the mainstream

Whereas nonetheless uncommon, so-called SPI implants are rising extra frequent. One of many Web’s greatest threats—a chunk of malware generally known as Trickbot—in 2020 started incorporating a driver into its code base that enables individuals to write firmware into virtually any device.
The one two different documented instances of malicious UEFI firmware getting used within the wild are LoJax, which was written by the Russian state hacker group recognized underneath a number of names, together with Sednit, Fancy Bear, or APT 28. The second occasion was UEFI malware that safety agency Kaspersky discovered on diplomatic figures’ computers in Asia.

All three of the Lenovo vulnerabilities found by ESET require native entry, that means that the attacker should have already got management over the susceptible machine with unfettered privileges. The bar for that type of entry is excessive and would seemingly require exploiting a number of crucial different vulnerabilities elsewhere that will already put a consumer at appreciable threat.

Nonetheless, the vulnerabilities are severe as a result of they’ll infect susceptible laptops with malware that goes properly past what’s usually potential with extra typical malware. Lenovo has an inventory here of greater than 100 fashions which might be affected.