Security firm ESET said Tuesday that it has found several UEFI vulnerabilities in a wide swathe of over 100 different Lenovo consumer laptop models, which can be patched by updating the notebook’s firmware.
The full list of affected laptops includes the Ideapad-3, the Legion 5 Pro-16ACH6 H, and the Yoga Slim 9-14ITL0. ESET discovered the vulnerability late last year. Lenovo then worked to develop a patch and released it on the manufacturer’s website. ESET didn’t say whether these vulnerabilities were actively being exploited in the wild.
Specifically, the three different vulnerabilities would allow an attacker to modify either the protected boot settings or the firmware itself, a change that would survive the reinstallation of the operating system, ESET said. “UEFI threats can be extremely stealthy and dangerous,” the firm wrote. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.”
A third vulnerability in the SMI Handler code would allow an attacker with local access and elevated privileges to execute arbitrary code, giving them control of the machine.
To solve the problem, Lenovo recommends that users navigate to the support site (support.lenovo.com), which resolves to pcsupport.lenovo.com. (The laptop manufacturer has addressed the vulnerability with a specific Web page devoted to it, where you can find this as well as supplementary information).
There, Lenovo asks that you take the following steps:
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- The last step requires that you find your laptop’s model on the list of affected products and simply make sure that the firmware you’re downloading matches the file that Lenovo has published.
There’s a catch, though. According to ESET, several laptops impacted by the vulnerability won’t be patched because they’re reaching End Of Development Support (EODS). “This includes devices where we spotted reported vulnerabilities for the first time: Ideapad 330-15IGM and Ideapad 110-15IGR. The list of such EODS devices that we have been able to identify will be available in ESET’s vulnerability disclosures repository.”
“For those using End Of Development Support (EODS) devices affected by the vulnerability, without any fixes available: one thing that can help you protect against unwanted modification of the UEFI Secure Boot state is using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes,” ESET wrote.