Lenovo three security vulnerabilities update immediately

Laptop users they should pay special attention. Security company ESET has just announced that it has discovered three vulnerabilities (CVE-2021-3971, CVE-2021-3972, CVE-2021-3970) in the UEFI of Lenovo laptops.

0day w

The security holes have been marked as extremely critical. The allow attackers to deploy and run UEFI malware such as LoJax or ESPecter on all affected devices.

ESET published all the essentials on its blog. Security vulnerabilities affect various Lenovo laptop models.

CVE-2021-3971, CVE-2021-3972

The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFIs drivers.

Affected UEFI firmware drivers can be enabled by attackers to disable SPI flash (BIOS control register) protection features and protected-range registers) ή τη δυνατότητα ασφαλούς εκκίνησης UEFI από μια διαδικασία προνομιακής λειτουργίας χρήστη κατά τη διάρκεια του χρόνου εκτέλεσης του λειτουργικού συστήματος.

Exploiting these vulnerabilities allows intruders to successfully develop and execute SPI flash or ESP implants such as LoJax or UEFI ESPecter on affected devices.

CVE-2021-3970

While investigating the above security gaps, the third vulnerability was also discovered. It can cause SMM to crash in SW SMI handler mode (CVE-2021-3970). The vulnerability allows arbitrary writes to and from SMRAM, which could lead to the execution of malicious code with SMM privileges and possibly the use of an SPI flash implant.

All vulnerabilities discovered were reported to Lenovo on October 11, 2021. Lenovo confirmed the vulnerabilities on November 17, 2021 and registered the CVEs.

The list of affected devices includes more than a hundred different laptop models with millions of users worldwide, from affordable models like the Ideapad-3 to more advanced models like the Legion 5 Pro-16ACH6 or the Yoga Slim 9-14ITL05.

The full list of affected models was published in Lenovo Advisory. Lenovo systems that have been manufactured since February 25, 2022, are not affected.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).