More than 1 million Lenovo laptops and PCs vulnerable to undetectable and indelible malware attacks

Located in the UEFI firmware provided by the manufacturer, the vulnerability found on many Lenovo laptops and PC models makes it possible to detect malware that is undetectable and almost impossible to remove.

Unlike the old BIOS found on PCs a decade ago, UEFI firmware is much more sophisticated, appearing as a mini-operating system hosted on a Flash memory chip stuck to the motherboard. Completely invisible to the main OS (eg Windows), UEFI firmware is responsible for managing the various components of the PC and has virtually unlimited access to the hardware. Thus, compromising it by infiltrating malware can have devastating effects, with hackers using this attack vector gaining access to the device in an undetectable way and very difficult to fix later.

Basically, reinstalling the operating system from scratch does not solve the problem, since the infection is located in a separate memory chip, normally accessible for writing only with the help of specialized software tools used by Lenovo during the manufacture of the respective equipment. .

Named CVE-2021-3971 and CVE-2021-3972, the two vulnerabilities are located in Lenovo drivers accidentally included with official UEFI firmware. Normally, Lenovo engineers should have disabled the UEFI rewrite feature on devices delivered to consumers, and this useful command in pre-production testing is practically an invitation to hackers.

For example, a potential attacker can use this vulnerability to override key security mechanisms, such as UEFI Secure Boot, by allowing malware to run into the operating system’s protected memory space. Last but not least, hackers can do what Lenovo forgot to do, which is to disable the UEFI rewrite feature, preventing the original firmware from being restored to neutralize already infiltrated malware.

The only way to close this vulnerability is to apply firmware updates already installed to Lenovo devices. The good news is that exploiting these vulnerabilities requires that the attacker have physical access to the device, which precludes the possibility of “collecting” such a virus in everyday use of the equipment. Instead, more attention should be paid to the source of your Lenovo laptop or PC, so compromised equipment is hard to come by.