PC maker Lenovo has addressed yet another set of three shortcomings in its Unified Extensible Firmware Interface (UEFI) firmware that affect some Yoga, IdeaPad, and ThinkBook devices.
โThis vulnerability allows you to disable UEFI Secure Boot and restore factory default Secure Boot databases (including dbx), all of which can be easily done from the OS,โ said Slovakia. Cybersecurity firm ESET said. explained in a series of tweets
UEFI refers to software that acts as an interface between the operating system and the firmware embedded in the device’s hardware. UEFI is responsible for booting the operating system when the device is powered on, making it an attractive option for attackers looking to drop malware that is difficult to detect and remove.
From that perspective, the flaws tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 are a security mechanism designed to prevent malicious programs, Secure Boot can be exploited by an attacker to turn off the From loading during the boot process.
Lenovo Advisory I will explain The vulnerabilities are –
- CVE-2022-3430: A potential vulnerability in the WMI setup driver of some Lenovo consumer notebook devices could allow a high-privileged attacker to modify NVRAM variables to change Secure Boot settings.
- CVE-2022-3431: A potential vulnerability in drivers that were not accidentally deactivated during the manufacturing process of some consumer Lenovo notebook devices could allow a high-privileged attacker to modify NVRAM variables to enable secure boot You may be able to change your settings.
- CVE-2022-3432: A potential vulnerability in a driver that was used during the IdeaPad Y700-14ISK manufacturing process and was not accidentally deactivated allows a high-privileged attacker to modify NVRAM variables to modify Secure Boot settings It is possible.
In other words, disabling UEFI Secure Boot allows threat actors to run rogue boot loaders, giving attackers access to compromised hosts.
ESET said the vulnerability was not due to a flaw in the source code itself, but because “the driver was intended to be used only in the manufacturing process, but was accidentally included in the product”.
The latest update shows that Lenovo has moved for the third time to patch a flaw in the UEFI firmware. All of these were discovered and reported by ESET researcher Martin Smolรกr.
The first set of issues (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) allowed malicious actors to deploy and execute firmware implants on affected devices However, a second batch (CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892) can be weaponized to execute arbitrary code and disable security features.
Lenovo said it has no plans to release a fix for CVE-2022-3432 as the model in question has reached its End of Life (EoL). Users of other affected devices are advised to update their firmware to the latest version.