Lenovo driver bug allowed to bypass security features

Updated on: 10 November 2022

Vilius Petkauskas
Deputy Editor

Lenovo flaws UEFI — Image by Shutterstock.

Lenovo fixed flaws threat actors could have used to disable UEFI Secure Boot, a system guarding against malicious code execution, in Lenovo Notebooks.

Lenovo, the Chinese computer maker, fixed several vulnerabilities in the UEFI firmware affecting several of its popular laptop models such as Yoga, IdeaPad, and ThinkBook.

Researchers at cybersecurity company ESET discovered the flaws, two of which were deemed high-severity, and alerted the computer maker. The vulnerabilities would allow threat actors to deactivate UEFI Secure Boot if exploited.

UEFI, short for Unified Extensible Firmware Interface, is used to kickstart the hardware of a computer before loading the operating system. The Secure Boot function ensures that no malicious code is loaded during the device‘s boot process.

Accessing the target system before the operating system (OS) boots have severe security implications, as attackers can bypass virtually all security protections that rely on the OS and evade destruction even if the OS is reinstalled.

According to researchers at ESET, the flaws don‘t come from the code but rather from a production mistake. The affected drivers, ESET claims, were meant only to be used during the manufacturing process. However, Lenovo “mistakenly included” affected drivers in the production.

Researchers claim that the vulnerability can be exploited by creating NVRAM (non-volatile random-access memory) variables. However, Lenovo fixed the vulnerabilities using a BIOS fix.

“For those using one of the affected devices, we highly recommend updating to the latest firmware version,” researchers said.

Lenovo published the list of affected devices and offered mitigation strategies for users to fix the flaws.

Earlier this year, ESET discovered that over 70 models of Lenovo notebook devices were fitted with vulnerable UEFI firmware. Buffer overflow vulnerabilities in the UEFI firmware allowed attackers to carry out arbitrary code execution (ACE) attacks and disable essential security features.