For proprietors of a lot more than 70 Lenovo notebook versions, it is time after once again to patch the UEFI firmware in opposition to essential vulnerabilities that attackers can exploit to set up malware that is approximately impossible to detect or take away.
The laptop computer maker on Tuesday launched updates for three vulnerabilities that scientists uncovered in the UEFI firmware used to boot up a host of its notebook types, such as the Yoga, ThinkBook, and IdeaPad traces. The firm assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and have an affect on the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe motorists, respectively.
“The vulnerabilities can be exploited to attain arbitrary code execution in the early phases of the platform boot, perhaps making it possible for the attackers to hijack the OS execution move and disable some essential safety characteristics,” safety business ESET mentioned. “These vulnerabilities were brought on by insufficient validation of DataSize parameter handed to the UEFI Runtime Services function GetVariable. An attacker could make a specifically crafted NVRAM variable, creating buffer overflow of the Facts buffer in the 2nd GetVariable simply call.”
The vulnerabilities can be exploited to reach arbitrary code execution in the early phases of the system boot, probably permitting the attackers to hijack the OS execution flow and disable some essential safety functions. 2/6
— ESET analysis (@ESETresearch) July 13, 2022
Shorter for Unified Extensible Firmware Interface, UEFI is the computer software that bridges a computer’s system firmware with its working program. As the very first piece of program to operate when practically any modern day machine is turned on, it’s the initially website link in the security chain. Simply because the UEFI resides in a flash chip on the motherboard, infections are hard to detect and take out. Regular measures these kinds of as wiping the really hard generate and reinstalling the OS have no meaningful influence because the UEFI an infection will just reinfect the personal computer afterward.
A lot of motherboard-resident flash chips that retail outlet the UEFI have accessibility manage mechanisms that can be locked throughout the boot method to avert unauthorized firmware modifications. It’s not crystal clear if the impacted Lenovo models have that capacity. Even if they do, these protections are frequently turned off, misconfigured, or hampered by vulnerabilities. ESET researchers weren’t straight away readily available to comment on the specifications for exploits of these unique vulnerabilities.
In any occasion, entrepreneurs of Lenovo laptops need to acquire a minute to examine Wednesday’s advisory to see if their model is vulnerable because firmware updates normally involve manual set up.