Three vulnerabilities affecting more than a million laptops can give hackers the ability to modify a computer's UEFI which is the first piece of software to run.
The UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.
Two of the vulnerabilities -- tracked as CVE-2021-3971 and CVE-2021-3972 -- reside in UEFI firmware drivers intended for use only during the manufacturing process of Lenovo consumer notebooks. Lenovo engineers inadvertently included the drivers in the production BIOS images without being properly deactivated.
Hackers can exploit these buggy drivers to disable protections, including UEFI secure boot, BIOS control register bits, and protected range register, which are baked into the serial peripheral interface (SPI) and designed to prevent unauthorised changes to the firmware it runs. After discovering and analysing the vulnerabilities.
Researchers from security firm ESET found a third vulnerability, CVE-2021-3970 which allows hackers to run malicious firmware when a machine is put into system management mode, a high-privilege operating mode typically used by hardware manufacturers for low-level system management."
All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. This makes it tricky to exploit and require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk."