Researchers discover ‘stealthy’ Lenovo firmware vulnerability that affects millions of laptops

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Today, ESET announced that one of its researchers had discovered a number of vulnerabilities within Lenovo consumer laptops, impacting over hundred different models and millions of users worldwide.

According to Martin Smolár, the malware analyst at ESET who identified the vulnerabilities, CVE-2021-3970, CVE-2021-3971 and CVE-2021-3972 can enable attackers “to disable security mechanisms and install their UEFI malware on the systems.” 

In effect, this will enable an attacker to deploy UEFI-based malware such as LoJax and ESpecter. 

“UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” Smolár said. 

While the vulnerabilities only affect consumer Lenovo laptops, with more organizations embracing remote work following the COVID-19 pandemic, many employees are using consumer devices to work from home. In fact, research shows that 49% of employees still use personal computers for work. 

As a result, the Lenovo vulnerabilities discovered today could be used to gain access to an employee’s personal device, which an an attacker can use to harvest protected data or even work toward breaking into other devices on the network. 

How bad is the UEFI malware threat? 

In recent years, there were a number of high-profile attacks that have involved UEFI threats, most recently at the end of last year, when Kaspersky SecureList discovered a UEFI firmware-level compromise within the logs of its Firmware Scanner. 

In this instance, the hackers introduced an infection chain to the execution flow of the machine’s boot sequence to compromise the scanner. 

At a high level, what makes UEFI malware threatening is that once an attacker infects a computer’s UEFI, they can take control of the device and access any files stored on it, at will. At the same time the malware isn’t removed even if the user reinstalls the operating system or replaces the hard drive. 

Although organizations shouldn’t ignore the Lenovo firmware vulnerability, Gartner analyst, Peter Firstbrook highlights that the risk posed by these latest Lenovo vulnerabilities is minimal, due to how complex they are to exploit. 

“The immediate risk is low. These are difficult vulnerabilities to exploit, some require privileged access and good Endpoint protection solutions should detect the activity required to exploit the CVEs. However, for consumers that do not patch, and do not have behavioral endpoint protection, this could be a major long lived problem,” Firstbrook said.  

“Firmware implants are difficult to detect using standard antivirus software. In the long term, most organizations are not prepared for vulnerability detection and patching of Firmware,” Firstbrook said. 

What enterprises can do to fix the newfound Lenovo vulnerabilities 

The only way to fix these new vulnerabilities is to update the laptop’s firmware. Lenovo has released a list of all affected devices, alongside instructions on how to update them, so that users can search for products by name or machine type, and deploy manual updates to the affected components. 

Though this is a simple process, in remote working environments where employees are using personal Lenovo devices things are more difficult, as security teams have to rely on employees to deploy the updates. 

The simplest way to encourage employees to deploy the updates is to send out an email notifying staff about the risks these vulnerabilities present to their personal information and the wider enterprise, alongside the list of affected devices released by Lenovo.

Originally appeared on: TheSpuzz