ESET researchers found and analyzed three vulnerabilities affecting varied Lenovo laptop computer fashions. Attackers exploiting these vulnerabilities distribute and efficiently execute UEFI malware within the type of SPI flash implants corresponding to LoJax or ESP implants such because the not too long ago found ESPecter. ESET reported all found vulnerabilities to Lenovo in October 2021. The listing of affected gadgets consists of greater than 100 completely different laptop computer fashions with tens of millions of customers worldwide.
ESET researcher Martin Smolár, who found the vulnerabilities, stated: “UEFI threats may be extraordinarily stealthy and harmful. They run when the pc is first turned on earlier than transferring management to the working system; because of this they’ll bypass virtually any safety measures put in on the system because it occurs with out the working system kicking in. Our discovery of those so-called “safe” UEFI backdoors exhibits that in some circumstances, UEFI threats may be very simple to deploy, and that extra real-life UEFI threats have been found in recent times as a result of attackers are conscious of this ease.”
UEFI threats may be extraordinarily stealthy and harmful
The primary two of those vulnerabilities, CVE-2021-3970 and CVE-2021-3971, are “safe” backdoors constructed into UEFI firmware. These built-in backdoors may be enabled to disable SPI flash protections (BIOS Management Register bits and Safety Interval registers) or UEFI Safe Boot from a privileged person mode operation whereas the working system is working.
Moreover, whereas investigating “secure” backdoor binaries, we found a 3rd vulnerability: SMM reminiscence corruption (CVE-2021-3972) throughout the SW SMI handler perform. This vulnerability permits arbitrary reads/writes from/to SMRAM, which might result in malicious code execution with SMM privileges and doubtlessly the deployment of an SPI flash implant.
UEFI boot and run companies; organising protocols, discovering current protocols, allocating reminiscence, UEFI variable manipulation, and many others. supplies the essential features and information constructions vital for drivers and functions to do their jobs. UEFI boot drivers and functions make in depth use of protocols. UEFI variables are a particular firmware storage mechanism utilized by UEFI modules to retailer varied configuration information, together with boot configuration.
Then again, SMM is a extremely privileged execution mode of x86 processors. Its code is written as system firmware and is commonly used for quite a lot of duties together with superior energy administration, OEM-specific code execution, and safe firmware updates.
Smolár explains: “All real-world UEFI threats found in recent times (LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy) needed to in some way bypass or disable safety mechanisms with a purpose to be deployed and executed.”
ESET Analysis strongly recommends that every one Lenovo laptop computer homeowners assessment the listing of affected gadgets and replace their firmware in accordance with the producer’s directions.
If there isn’t any replace obtainable, or you’re utilizing legacy gadgets affected by UEFI SecureBootBackdoor (CVE-2021-3970) which might be not up to date, one option to shield the UEFI Safe Boot state from undesirable modifications is to depend on the TPM, which may make disk information inaccessible if UEFI Safe Boot modifications. You should use a responsive full disk encryption answer.