Lenovo has published a security advisory to warn customers of vulnerabilities that affect its Unified Extensible Firmware Interface (UEFI) loaded on at least 100 of its notebook models, including IdeaPad 3, Legion 5 Pro-16ACH6 H, and Yoga Slim 9-14ITL05.
The following vulnerabilities were reported in Lenovo Notebook BIOS.
Two vulnerabilities, tracked as CVE-2021-3971 and CVE-2021-3972, can be exploited by an attacker to disable the protection for the SPI flash memory chip and turn off the UEFI Secure Boot feature.
The Secure boot is a security standard developed by members of the PC industry to ensure that a device boots using only software that is trusted by the OEM.
The third and final vulnerability, tracked as CVE-2021-3970, can be exploited by a local attacker to execute arbitrary code with elevated privileges.
The vulnerabilities affecting the Lenovo UEFI result from the use of two UEFI firmware drivers, named SecureBackDoor, SecureBackDoorPeim respectively. Both drivers are used only during the manufacturing process. UEFI vulnerabilities are very insidious because they could be exploited by threat actors to deploy stealthy implants that are able to bypass security protections that operate at the OS level.
Owners of impacted Lenovo laptops should update their firmware following the manufacturer’s instructions,