Lenovo driver goof poses security risk for users of 25 notebook models - Ars Technica

2 years ago 39

BYPASSING UEFI SECURE BOOT —

Hackers tin exploit vulnerabilities to instal malicious firmware that survives reboots.

- Nov 10, 2022 12:40 americium UTC

Lenovo operator  goof poses information    hazard  for users of 25 notebook models

Getty Images

More than 2 twelve Lenovo notebook models are susceptible to malicious hacks that disable the UEFI unafraid footwear process and past tally unsigned UEFI apps oregon load bootloaders that permanently backdoor a device, researchers warned connected Wednesday.

At the aforesaid clip that researchers from information steadfast ESET disclosed the vulnerabilities, the notebook shaper released information updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI unafraid footwear tin beryllium superior due to the fact that they marque it imaginable for attackers to instal malicious firmware that survives aggregate operating strategy reinstallations.

Not common, adjacent rare

Short for Unified Extensible Firmware Interface, UEFI is the bundle that bridges a computer’s instrumentality firmware with its operating system. As the archetypal portion of codification to tally erstwhile virtually immoderate modern instrumentality is turned on, it’s the archetypal nexus successful the information chain. Because the UEFI resides successful a flash spot connected the motherboard, infections are hard to observe and remove. Typical measures specified arsenic wiping the hard thrust and reinstalling the OS person nary meaningful interaction due to the fact that the UEFI corruption volition simply reinfect the machine afterward.

ESET said the vulnerabilities—tracked arsenic CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432—“allow disabling UEFI Secure Boot oregon restoring mill default Secure Boot databases (incl. dbx): each simply from an OS.” Secure footwear uses databases to let and contradict mechanisms. The DBX database, successful particular, stores cryptographic hashes of denied keys. Disabling oregon restoring default values successful the databases makes it imaginable for an attacker to region restrictions that would usually beryllium successful place.

“Changing things successful firmware from the OS is not common, adjacent rare,” a researcher specializing successful firmware security, who preferred not to beryllium named, said successful an interview. “Most folks mean that to alteration settings successful firmware oregon successful BIOS you request to person carnal entree to smash the DEL fastener astatine footwear to participate the setup and bash things there. When you tin bash immoderate of the things from the OS, that's benignant of a large deal.”

Disabling the UEFI Secure Boot frees attackers to execute malicious UEFI apps, thing that’s usually not imaginable due to the fact that unafraid footwear requires UEFI apps to beryllium cryptographically signed. Restoring the factory-default DBX, meanwhile, allows attackers to load susceptible bootloaders. In August, researchers from information steadfast Eclypsium identified 3 salient bundle drivers that could beryllium utilized to bypass unafraid footwear erstwhile an attacker has elevated privileges, meaning head connected Windows oregon basal connected Linux.

The vulnerabilities tin beryllium exploited by tampering with variables successful NVRAM, the non-volatile RAM that stores assorted footwear options. The vulnerabilities are the effect of Lenovo mistakenly shipping Notebooks with drivers that had been intended for usage lone during the manufacturing process. The vulnerabilities are:

  • CVE-2022-3430: A imaginable vulnerability successful the WMI Setup operator connected immoderate user Lenovo Notebook devices whitethorn let an attacker with elevated privileges to modify unafraid footwear settings by changing an NVRAM variable.
  • CVE-2022-3431: A imaginable vulnerability successful a operator utilized during the manufacturing process connected immoderate user Lenovo Notebook devices that was mistakenly not deactivated whitethorn let an attacker with elevated privileges to modify unafraid footwear mounting by altering an NVRAM variable.
  • CVE-2022-3432: A imaginable vulnerability successful a operator utilized during manufacturing process connected the Ideapad Y700-14ISK that was mistakenly not deactivated whitethorn let an attacker with elevated privileges to modify unafraid footwear mounting by adjusting an NVRAM variable.

Lenovo is patching lone the archetypal two. CVE-2022-3432 volition not beryllium patched due to the fact that the institution nary longer supports the Ideapad Y700-14ISK, the end-of-life notebook exemplary that’s affected. People utilizing immoderate of the different susceptible models should instal patches arsenic soon arsenic practical.

Go to discussion...

Read Entire Article