ESET finds 3 critical vulnerabilities in UEFI of Lenovo consumer notebooks

[German]Users of Lenovo notebooks should react. Security vendor ESET has just announced that it has discovered three vulnerabilities (CVE-2021-3970, CVE-2021-3971, CVE-2021-3972) in the UEFI of Lenovo consumer notebooks that are rated as highly problematic from a security perspective. The exploit allows attackers to deploy and successfully execute UEFI malware such as LoJax or ESPecter on the affected devices.


I became aware of the issue via subsequent tweets from ESET – ESET has published the details in this blog post. The vulnerabilities affect various Lenovo notebook models.

Lenovo UEFI vulnerabilities

The vulnerabilities CVE-2021-3971, CVE-2021-3972

The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers that were originally intended to be used only during production Lenovo consumer notebooks. Unfortunately, they were also inadvertently included in production BIOS images without being properly disabled.

The affected firmware drivers can be enabled by attackers to directly disable SPI flash protection features (BIOS control register bits and protected-range registers) or the UEFI secure boot feature from a privileged user mode process during operating system runtime. Exploitation of these vulnerabilities allows attackers to deploy and successfully execute SPI flash or ESP implants such as LoJax or the latest UEFI malware discovery ESPecter on affected devices.

Vulnerability CVE-2021-3970

While investigating the above vulnerabilities in the vulnerable drivers, a third vulnerability was discovered. This involves an SMM memory corruption within the SW SMI handler function (CVE-2021-3970). This vulnerability allows arbitrary reads/writes to/from SMRAM, which could lead to the execution of malicious code with SMM privileges and possibly the use of an SPI flash implant.


Lenovo is informed

All discovered vulnerabilities were reported to Lenovo on October 11, 2021. Lenovo confirmed the vulnerabilities on November 17, 2021 and assigned the named CVEs. In total, the list of affected devices includes more than one hundred different consumer laptop models with millions of users worldwide, ranging from affordable models like the Ideapad-3 to more advanced models like the Legion 5 Pro-16ACH6 H or the Yoga Slim 9-14ITL05. The full list of affected models with active development support is published in the Lenovo Advisory. Lenovo systems manufactured on or after February 25, 2022, are not expected to be affected. 

In addition to the models listed in the advisory, some other devices that ESET has reported to Lenovo are also affected. However, the devices have reached End of Development Support (EODS) and the vulnerabilities will no longer be fixed. This includes devices such as the Ideapad 330-15IGM and the Ideapad 110-15IGR. The list of EODS devices that ESET researchers were able to identify will be available in ESET's vulnerability reporting repository.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *