More than 25 models Lenovo laptops are vulnerable to malicious attacks that disable the UEFI secure boot process and then run unsigned UEFI apps or load bootloaders to permanently backdoor devices.
At the same time that researchers from security firm ESET uncovered the vulnerabilities, the laptop maker released security updates for 25 models, including ThinkPads, Yoga Slims and IdeaPads. The security gaps that undermine the safe UEFI boot are serious because they allow attackers to install malicious firmware that survives operating system formats.
The Unified Extensible Firmware Interface, or UEFI is the software that bridges a computer's firmware with the functional of the system. As the first piece of code that runs when a computer starts up, it is the first link in the security chain. Because UEFI resides on a flash chip on the motherboard, infections are very difficult to detect and remove.
Standard measures such as one format of the hard drive and reinstalling the operating system does not help, because the infected UEFI will infect the computer again when it starts.
Η ESET είπε ότι τα κενά ασφαλείας CVE-2022-3430, CVE-2022-3431 και CVE-2022-3432, επιτρέπουν την απενεργοποίηση της ασφαλούς εκκίνησης UEFI ή την επαναφορά των εργοστασιακών προεπιλεγμένων ρυθμίσεων της baseof secure boot data (and dbx). Secure Boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores encrypted hashes of denied keys.
Disabling or resetting databases to default values allows an attacker to override restrictions that would normally apply.