Lenovo driver goof poses security risk for users of 25 notebook models

Researchers warned on Wednesday that more than two dozenLenovo notebook models are vulnerable to malicious hacks that disabled the UEFI secure boot process and then run unsigned UEFI apps or load bootloaders that permanently back a device.

At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models. It is possible for attackers to install malicious software if the UEFI secure boot is undermined.

Not common, even rare

The software that bridges a computer's device software with its operating system is called UEFI. It is the first link in the security chain when most modern machines are turned on. Infections are difficult to detect and remove because they reside in a flash chip on the board. The impact of wiping the hard drive and reinstalling the OS won't be significant because the computer will be brought back to life.

The vulnerabilities allow disabling UEFI secure boot or restoring factory default secure boot databases. Databases are used to allow and deny mechanisms. There is a database that stores the hashes of denied Keys. It is possible for an attacker to remove restrictions that would normally be in place if the default values are disabled or restored.

The researcher, who preferred not to be named, said that changing things from the OS is rare. You need to have physical access to smash the DEL button at the beginning of the setup to do things there. Some of the things can be done from the OS.

It is normally not possible to prevent attackers from executing malicious UEFI apps if secure boot is not enabled. Attackers can load vulnerable bootloaders if the factory-defaultDBX is restored. Three prominent software drivers that could be used to circumvent secure boot when an attacker has elevated privileges were identified in August.

There are vulnerabilities in the non-volatile RAM that can be exploited. The Notebooks were mistakenly shipped with drivers that were intended for use only during manufacturing. There are vulnerabilities.

• CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot settings by changing an NVRAM variable.
• CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by altering an NVRAM variable.
• CVE-2022-3432: A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by adjusting an NVRAM variable.

The first two are the only ones that are being patched. The end-of-life notebook model that is affected by the vulnerability is no longer supported by the company. People who use any of the vulnerable models should install patches immediately.

You should go to discussion.