This is a rather bad oversight. Eset security researchers have just revealed the presence of backdoors in more than a hundred models of consumer laptops from Lenovo. Among the affected ranges are IdeaPad, Legion, Slim and Yoga. In total, the number of affected devices must be in the millions. Obviously, it was not a dirty trick. Implemented in the form of UEFI drivers, the backdoors were called “SecureBackDoor”, “SecureBackDoorPeim”, “ChgBootDxeHook” or “ChgBootSmm”, which is quite self-explanatory, and therefore not very stealthy!
According to Lenovo’s security notice, these backdoors were used during the manufacturing process of laptops for practical reasons. Unfortunately, Lenovo forgot to remove them. Eset researchers have shown that they allow two types of actions. With “SecureBackDoor” and “SecureBackDoorPeim”, it was possible to deactivate the write protections of the SPI Flash memory on which the UEFI is stored and, consequently, to modify the code (CVE-2021-3971). With “ChgBootDxeHook” and “ChgBootSmm”, a hacker could bypass UEFI Secure Boot, a mechanism that helps ensure the authenticity and integrity of boot firmware (CVE-2021-3972).
Also see video:
By analyzing these drivers, the researchers discovered a third flaw (CVE-2021-3970) which allowed access to the SMRAM memory and modification of the code executed under the “System Management Mode”. This is a very secure mode for, for example, managing advanced power functions, performing proprietary OEM functions or performing firmware updates. The flaw in question made it possible, if necessary, to install malware directly in the SPI Flash.
To be exploited, all these vulnerabilities require having the administrator privilege, which is not nothing. But the effort is worth it, because “Infecting UEFI is kind of the holy grail in computer hacking”, explains Benoît Grunemwald, cybersecurity expert at Eset. Malware nested in UEFI is particularly persistent. It remains even if we reinstall the operating system or if we change the hard drive.
This type of malware is mostly used for targeted attacks. In 2018, Eset researchers were the first to detect a copy of UEFI malware. Called LoJax, it was the work of the group of Russian hackers APT28.
Patches available since last November
Regarding the flaws found in Lenovo laptops, no one knows if they were actually used by hackers. But since they were not very difficult to find, it is likely that other hackers knew of their existence. Alerted in October 2021 by Eset, Lenovo confirmed the issue the following month. A patch is now available for all models that are still supported. To protect against the CVE-2021-3972 flaw, it is also possible to encrypt the disk using the TPM, which would allow “to make data inaccessible if the UEFI Secure Boot configuration changes”as Eset’s blog post clarifies.