• Wed. Mar 29th, 2023

scriptori

All content has been processed with publicly available content spinners. Not for human consumption.

New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops – The Hacker News

UEFI Firmware Vulnerabilities

Three high-impact Unified Extensible Firmware Interface (UEFI) security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices.

Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two “affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks,” ESET researcher Martin Smolár said in a report published today.

CyberSecurity

“Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated,” Smolár added.

Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots.

UEFI Firmware Vulnerabilities

CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode (SMM) of the firm, leading to the execution of malicious code with the highest privileges.

The three flaws were reported to the PC maker on October 11, 2021, following which patches were issued on April 12, 2022. A summary of the three flaws as described by Lenovo is below –

  • CVE-2021-3970 – A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
  • CVE-2021-3971 – A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
  • CVE-2021-3972 – A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
CyberSecurity

The weaknesses, which impact Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops, add to the disclosure of as many as 50 firmware vulnerabilities in Insyde Software’s InsydeH2O, HP UEFI, and Dell since the start of the year.

“UEFI threats can be extremely stealthy and dangerous,” Smolár said. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.”

Related Post

Video shows children running out of woods during Nashville school shooting
Scriptori News Service
Indictments are handed up in connection with NYC gay bar killings, sources say
Scriptori News Service
San Francisco’s self-driving cars have a hit-and-run problem. Usually, they’re the victims.
Scriptori News Service

You missed

Uncategorized

Former Wyoming Senator John Fetterman has been laboring to adjust to life in the Senate since his election in November 2020. Fetterman, a Democrat, is the first person from his party to represent the state in the Senate since 1974. He has been working to build relationships with his colleagues, learn the rules and procedures of the Senate, and advocate for the issues he cares about.Fetterman has made it a priority to build relationships with his colleagues on both sides of the aisle. He has already reached out to Republican Senators Mike Enzi and John Barrasso, and he has met with Senate Majority Leader Chuck Schumer. Fetterman has also been working to build relationships with his Democratic colleagues, including Senators Bernie Sanders and Elizabeth Warren.Fetterman has also been learning the rules and procedures of the Senate. He has been attending orientation sessions and meeting with staff to learn how the Senate works. He has also been studying the legislative process and familiarizing himself with the different committees and their roles.Finally, Fetterman has been advocating for the issues he cares about. He has been vocal about his support for the Biden administration’s proposed infrastructure plan, as well as his opposition to the Keystone XL pipeline. He has also been speaking out about climate change, gun control, and other issues important to him.Fetterman’s efforts to adjust to life in the Senate demonstrate his commitment to representing Wyoming and advocating for the issues he cares about. As he continues to learn the ropes and build relationships with his colleagues, he will be an effective advocate for his constituents.

Top News
Top News
Top News