This is a pretty bad overview. Security researchers at Eset have just revealed the presence of back doors in more than a hundred models of Lenovo consumer laptops. Among the affected ranges are IdeaPad, Legion, Slim and Yoga. In total, the number of affected devices must be in the millions. Obviously it wasn’t a dirty trick. Implemented in the form of UEFI drivers, the backdoors were called “SecureBackDoor”, “SecureBackDoorPeim”, “ChgBootDxeHook” or “ChgBootSmm”, which is quite obvious and therefore not very unobtrusive!
According to Lenovo’s safety notice, these back doors were used during the laptop manufacturing process for practical reasons. Unfortunately, Lenovo forgot to remove them. Eset researchers have shown that they allow two types of actions. With “SecureBackDoor” and “SecureBackDoorPeim” it was possible to disable the write protections of the SPI Flash memory on which the UEFI is stored and thereby modify the code (CVE-2021-3971). “ChgBootDxeHook” and “ChgBootSmm” allow a hacker to bypass UEFI Secure Boot, a mechanism that helps ensure the authenticity and integrity of boot firmware (CVE-2021-3972).
See also video:
By analyzing these drivers, the researchers discovered a third flaw (CVE-2021-3970) that allowed access to the SMRAM memory and modification of the code executed under the “System Management Mode”. This is a very safe mode for things like managing advanced power functions, performing custom OEM functions, or performing firmware updates. The bug in question made it possible to install malware directly into the SPI Flash if needed.
In order to be exploited, all of these vulnerabilities require administrative privileges, which is a good thing. But it’s worth it because “Infecting UEFI is kind of a holy grail in computer hacking”, explains Benoît Grunemwald, cybersecurity expert at Eset. Malware nested in UEFI is particularly persistent. It remains even if we reinstall the operating system or if we replace the hard drive.
This type of malware is usually used for targeted attacks. In 2018, Eset researchers were the first to discover a copy of UEFI malware. baptized LoJaxit was the work of the Russian hacker group APT28.
Patches available since last November
As for the flaws found in Lenovo laptops, no one knows if they were actually used by hackers. But since they weren’t very hard to find, it’s likely that other hackers knew about their existence. Lenovo was warned by Eset in October 2021 and confirmed the issue the following month. A patch is now available for all models that are still supported. To protect against the CVE-2021-3972 error, it is also possible to encrypt the drive using the TPM, which will “to make data inaccessible if UEFI Secure Boot configuration changes”as Eset’s blog post makes clear.
Source † Eset
