worried, moi
I was getting a bit concerned about this but when looking at the Lenovo link it appears only Win 10 is affected. No problem with Ubuntu.
Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET. Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI …
"UEFI threats can be extremely stealthy and dangerous," ...... "They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations"
Congratulations, you've unearthed the primary reason that UEFI has been foisted on us. But (un)fortunately those characteristics apply equally to both the 'bad' and 'good' malware.
Compaq had a slide switch on the motherboard of one of their (late 90s/early 2000s, pre-UEFI) super-small desktops. You had to flip the switch before it would let you flash the BIOS. It also had a ROM-based BIOS you could activate if the flashing procedure failed, so you'd still be able to boot and re-do the flash-writing.
But no, that's "old tech", and Intel pushed vPro, which lets you (and villains) do everything to a PC over-the-wire. Super-handy, and it lets corps cut IT staff, but vPro security was (surprise?) flawed.
>The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated.
An easy to make mistake.
However, it would be interesting and perhaps relevant to know if the notebooks have one BIOS image (with the drivers) initially installed and then at some point this is securely overwritten with the Production BIOS.
Yes, but the problem is, you do not know if you are safe, or the product is deemed so old that it is out of support and they can't be be bothered to produce new flashable firmware.
This is why open firmware and documented flashing mechanisms are important. Even better if they follow some sort of open standard.
As others have pointed out, a hardware switch that needs to be thrown to allow flashing/updates is also a good thing. For those who want to do things remotely, you can always leave the switch in 'the allow updates' position and rely on software-based security, but for the rest of us with local notebook PCs and desktops/towers, a hardware switch would improve security immensely.
"using a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration changes."
When working on some customer laptops, if I make changes to the BIOS config, eg disable Secure Boot so I run external diagnostics, Bitlocker has a hissy fit and requires a recovery key entry instead of just the PIN Number[*}. Of course, I put the config back to the original settings after I'm done, and Bitlocker is happy again. So I'm wondering if changes made to the UEFI settings will also trigger Bitlocker. I would assume other disk encryption will be equally paranoid about hardware or firmware config changes.
>X220, does it still count as 'Lenovo'
Depends on your perspective. Given the history, it does seem that their ex.IBM business range is still something different to their consumer ranges.
>and should I be worried?
Currently no, as the X220 is a Thinkpad and thus business-grade, the affected laptops are all consumer-grade.