Mobile users computers Lenovo θα πρέπει να προσέξουν ιδιαίτερα. Η εταιρεία security ESET has just announced that it has discovered three vulnerabilities (CVE-2021-3971, CVE-2021-3972, CVE-2021-3970) in the UEFI of Lenovo laptops.
Security gaps have been described as extremely critical. Exploits allow intruders to develop and execute malware in UEFI, such as LoJax or ESPecter on all affected devices.
ESET has published all the necessary ones on its blog. Security vulnerabilities affect various things models of Lenovo laptops.
CVE-2021-3971, CVE-2021-3972
The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFIs firmware drivers.
Affected UEFI firmware drivers can be enabled by attackers to disable SPI flash (BIOS control register bits and protected-range registers) or the UEFI secure boot capability from a privileged user process during operating system runtime.
Exploiting these vulnerabilities allows intruders to successfully develop and execute SPI flash or ESP implants such as LoJax or UEFI ESPecter on affected devices.
CVE-2021-3970
During the investigation of the above security gaps, the third vulnerability was discovered. May damage SMM memory in SW SMI handler mode (CVE-2021-3970). The vulnerability allows arbitrary registrations to and from SMRAM, which could lead to malicious code execution with SMM privileges and possibly the use of an SPI flash implant.
All vulnerabilities discovered were reported to Lenovo on October 11, 2021. Lenovo confirmed the vulnerabilities on November 17, 2021 and registered the CVEs.
The list of affected devices includes more than a hundred different laptop models with millions of users worldwide, from affordable models like the Ideapad-3 to more advanced models like the Legion 5 Pro-16ACH6 or the Yoga Slim 9-14ITL05.
The full list of affected models was published in Lenovo Advisory. Lenovo systems that have been manufactured since February 25, 2022, are not affected.