back to article ESET uncovers vulnerabilities in Lenovo laptops

Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET. Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI …

  1. Colin Bull 1
    Happy

    worried, moi

    I was getting a bit concerned about this but when looking at the Lenovo link it appears only Win 10 is affected. No problem with Ubuntu.

    1. Ken Hagan Gold badge

      Re: worried, moi

      I don't think the Lenovo link says that at all. The patch is only available in Windows flavour, but the UEFI bios is as much part of a Linux boot as a Windows one, surely. Whether the patch will be offered by Lenovo to Linux devs for packaging is a different question.

  2. Anonymous Coward Silver badge
    Black Helicopters

    "UEFI threats can be extremely stealthy and dangerous," ...... "They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations"

    Congratulations, you've unearthed the primary reason that UEFI has been foisted on us. But (un)fortunately those characteristics apply equally to both the 'bad' and 'good' malware.

  3. Neil Barnes Silver badge
    Holmes

    If only

    there were some other approach - say perhaps a mechanical switch that required the device to be opened to operate it?

    Nah, that'll never fly.

    1. An_Old_Dog Silver badge
      Meh

      hardware switch to enable flash re-write

      Compaq had a slide switch on the motherboard of one of their (late 90s/early 2000s, pre-UEFI) super-small desktops. You had to flip the switch before it would let you flash the BIOS. It also had a ROM-based BIOS you could activate if the flashing procedure failed, so you'd still be able to boot and re-do the flash-writing.

      But no, that's "old tech", and Intel pushed vPro, which lets you (and villains) do everything to a PC over-the-wire. Super-handy, and it lets corps cut IT staff, but vPro security was (surprise?) flawed.

      1. Neil Barnes Silver badge

        Re: hardware switch to enable flash re-write

        Yeah, some Chromebooks had a screw on the motherboard shorting two tracks which had to be removed, as I recall.

      2. Captain Scarlet Silver badge
        Stop

        Re: hardware switch to enable flash re-write

        Well Helldesk would go around flip it and not flip it back.

  4. Roland6 Silver badge

    Human error

    >The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated.

    An easy to make mistake.

    However, it would be interesting and perhaps relevant to know if the notebooks have one BIOS image (with the drivers) initially installed and then at some point this is securely overwritten with the Production BIOS.

  5. Adrian 4

    safe

    You know your laptop's old when "affected devices numbers more than a hundred models with millions of users worldwide" and it still isn't in the list.

    1. Norman Nescio Silver badge

      Re: safe

      Yes, but the problem is, you do not know if you are safe, or the product is deemed so old that it is out of support and they can't be be bothered to produce new flashable firmware.

      This is why open firmware and documented flashing mechanisms are important. Even better if they follow some sort of open standard.

      As others have pointed out, a hardware switch that needs to be thrown to allow flashing/updates is also a good thing. For those who want to do things remotely, you can always leave the switch in 'the allow updates' position and rely on software-based security, but for the rest of us with local notebook PCs and desktops/towers, a hardware switch would improve security immensely.

  6. John Brown (no body) Silver badge

    Bitlocker?

    "using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes."

    When working on some customer laptops, if I make changes to the BIOS config, eg disable Secure Boot so I run external diagnostics, Bitlocker has a hissy fit and requires a recovery key entry instead of just the PIN Number[*}. Of course, I put the config back to the original settings after I'm done, and Bitlocker is happy again. So I'm wondering if changes made to the UEFI settings will also trigger Bitlocker. I would assume other disk encryption will be equally paranoid about hardware or firmware config changes.

    1. John Brown (no body) Silver badge

      Re: Bitlocker?

      Oopsie, I forgot the footnote

      [*} PIN Number - To trigger certain people :-)

      1. KarMann Silver badge
        Headmaster

        Re: Bitlocker?

        The braces or the redundancy?

      2. Norman Nescio Silver badge

        Re: Bitlocker?

        I have seen it referred to as the 'PIN Code Number'. Historically used at ATM machines, of course, but these days used mostly to unlock phones. But we work in IT, so redundancy is meant to be good, isn't it?

  7. Anonymous Coward
    Anonymous Coward

    Got a Lenovo laptop?

    x220, does it still count as 'Lenovo' and should I be worried?

    1. Roland6 Silver badge

      Re: Got a Lenovo laptop?

      >X220, does it still count as 'Lenovo'

      Depends on your perspective. Given the history, it does seem that their ex.IBM business range is still something different to their consumer ranges.

      >and should I be worried?

      Currently no, as the X220 is a Thinkpad and thus business-grade, the affected laptops are all consumer-grade.

  8. Cave_Homme

    And I only just recently removed the Lenovo bloatware

    1. Roland6 Silver badge

      Well if you do insist on buying consumer-grade kit; should have brought a Thinkpad...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like