Researchers warned on Wednesday that more than two dozen Lenovo notebook models are susceptible to harmful hacks that disable the UEFI secure boot procedure before running unsigned UEFI software or loading bootloaders that permanently backdoor a device.
The laptop manufacturer published security upgrades for 25 models, including ThinkPads, Yoga Slims, and IdeaPads, at the same time that security researchers from ESET revealed the flaws. Because they allow for the installation of malicious firmware that endures numerous operating system reinstallations, vulnerabilities that compromise the UEFI secure boot can be quite dangerous.
The programme known as UEFI, which stands for Unified Extensible Firmware Interface, connects the operating system and device firmware of a computer. It serves as the initial link in the security chain because it is the first line of code to execute when almost any modern machine is turned on. The UEFI is housed in a flash chip on the motherboard, making it challenging to find and get rid of infections. Because the UEFI infection will just reinfect the computer thereafter, standard methods like deleting the hard drive and reinstalling the OS are ineffective.
“Allows disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS,” according to ESET about the flaws, which are listed as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432. Databases are used by Secure Boot as allow and deny methods. Particularly, the cryptographic hashes of blocked keys are kept in the DBX database. Attackers can remove constraints that are typically in place by disabling or resetting default values in the databases.
“Changing things in firmware from the OS is not common, even rare,” a researcher specializing in firmware security, who preferred not to be named, said in an interview. “Most folks mean that to change settings in firmware or in BIOS you need to have physical access to smash the DEL button at boot to enter the setup and do things there. When you can do some of the things from the OS, that’s kind of a big deal.”
Attackers can execute malicious UEFI software when the UEFI Secure Boot is disabled, which is generally not allowed because secure boot requires that UEFI apps be cryptographically signed. Meanwhile, restoring the factory default DBX enables attackers to load weak bootloaders. Three well-known software drivers that might be used to get around secure boot when an attacker has elevated privileges—administrator on Windows or root on Linux—were uncovered by researchers from the security firm Eclypsium in August.