The vulnerabilities could allow hackers to run malicious code before a device boots up.

Lenovo has released fixes for several vulnerabilities in the UEFI firmware used in many of its laptops. The patches address ‘high-severity’ vulnerabilities that were found in several laptop models. The vulnerabilities could allow attackers to disable the secure boot process and run unsigned UEFI apps, or restore the device to the factory default to load known-vulnerable bootloaders.

Secure boot is the process used during the startup of a computer. It ensures that only trusted components and software are loaded. Secure boot is designed to prevent malicious or modified firmware and other components from starting up. Researchers at ESET Research Labs discovered the vulnerabilities in the Lenovo Notebook BIOS and found that, by modifying an NVRAM variable, they could modify the secure boot settings.

Running unsigned, malicious code before OS boot is very dangerous, as threat actors can bypass all security protections to plant malware that persists between OS reinstallations. The bugs found by ESET are located in drivers that were meant to be used only during the manufacturing process and were mistakenly included in the firmware loaded on commercial products.

Here’s what’s been fixed

The company has released updates for all affected devices that are still supported. Two of the bugs (CVE-2022-3430 and CVE-2022-3431) affect many IdeaPad, ThinkBook, Yoga, and Slim 7 models. One of the flaws (CVE-2022-3432) only affects the Lenovo Ideapad Y700-14ISK. That model is no longer supported and won’t be updated.

“A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable”, the Lenovo advisory for CVE-2022-3431 reads.

CVE-2022-3432 is practically the same vulnerability, but present in a different driver. Lenovo has released updates for the affected products and advises users to update their devices as soon as possible.

Tip: OT security of data centers should be a top priority