Executive Summary

UEFI Firmware provides an interface allowing for configuration of a computer at the beginning of the boot sequence, prior to the operating system loading. This firmware is supplied with every modern computer and allows an administrator to make hardware and security configuration changes to the system, while allowing the computer to boot successfully into the operating system. Lenovo has disclosed three vulnerabilities within this UEFI Firmware, affecting its consumer laptop range. These vulnerabilities could allow an attacker with local access to the machine to execute arbitrary code on the laptop.

What’s the risk to my business?

A malicious actor with local access to an affected laptop may be able to compromise the security and data stored on the laptop.

What can I do?

Updates to the UEFI Firmware on affected laptops are available and should be installed onto affected laptops. It’s noted that this firmware will need to be downloaded and installed from the Lenovo website, and these updates will not be supplied through Windows Update. As these firmware updates apply to low-level software that effectively makes the computer work, it is critical that the laptop is plugged in and not restarted while the update is taking place.

Important: Firmware updates have not been supplied for models that have reached end of development support with Lenovo. It is important to ensure that all corporate systems are within a support window with the manufacturer for this reason.

Technical Summary

Lenovo have issued firmware updates for the following CVE’s: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972. Security researchers originally disclosed these updates on 11/10/2021, and Lenovo released fixes on 18/04/2022.

CVE-2021-3970 relates to a validation vulnerability within a variable named “LenovoVariable SMI Handler” which may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3971 relates to a vulnerability within an older driver used during the manufacturing process that was mistakenly included within the BIOS image. This vulnerability could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.

CVE-2021-3972 relates to a vulnerability within an older driver used during the manufacturing process was mistakenly not deactivated which could allow an attacker with elevated privileges to modify secure boot settings by modifying an NVRAM variable.

Information on affected models with firmware updates available can be found here: Lenovo Notebook BIOS Vulnerabilities - Lenovo Support GB

Further information on the technicalities of the vulnerabilities can be found here: When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops | WeLiveSecurity

Need help understanding your gaps, or just want some advice? Get in touch with us.