- ESETresearch discovered and reported to the Chinese multinational technology company, Lenovo three buffer overflow vulnerabilities in UEFI firmware.
- The flaws stem from poor validation of an NVRAM variable called “DataSize” in three different drivers: ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe.
- Lenovo has released security updates to address new vulnerabilities in Lenovo UEFI Firmware that impact over 70 laptop models including ThinkBook models.
The Chinese consumer electronics company Lenovo released fixes that contain three security flaws in its UEFI firmware affecting over 70 product models. Since the start of this year, this is the second time the company communicates UEFI security vulnerabilities for their products.
ThinkBook model also has vulnerabilities
According to the Slovak cybersecurity firm ESET which discovered the vulnerabilities, the flaws can be used to reach arbitrary code execution in the early stages of the platform boot, possibly allowing attackers to take over the OS execution flow and disable some important security features. The issue is a typical UEFI “double GetVariable” vulnerability that can also be identified in the firmware code by the superb IDA plugin efiXplorer.
The following vulnerabilities were reported in Lenovo Notebook BIOS;
CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
CVE-2021-3972: A potential vulnerability by a driver used during the manufacturing process on some consumer Lenovo Notebook devices that were mistakenly not deactivated may allow an attacker with elevated privileges to modify the secure boot setting by modifying an NVRAM variable.
The flaws stem from poor validation of an NVRAM variable called “DataSize” in three different drivers: ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe.The Chinese company advises updating system firmware to the version (or newer) for the affected models including ThinkBook model.
This is the second case for Lenovo to fix UEFI security vulnerabilities. In April, the company fixed three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972). The flaws in both cases were found by Martin Smolár from ESET.