Vulnerabilities in Lenovo laptops expose millions of users to firmware-level malware

Researchers for ESET reported Tuesday discovering at least three vulnerabilities affecting hundreds of Lenovo consumer laptops with millions of users worldwide.

The first two — CVE-2021-3971 and CVE-2021-3972 — affect UEFI firmware drivers meant to be used only during the manufacturing process of consumer notebooks, but were mistakenly included in the production BIOS images, researcher Martin Smolar wrote on ESESt’s security blog. The firmware drivers can be activated by an attacker to directly disable SPI flash protections or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime, which would allow attackers to deploy SPI flash or ESP implants like LoJax or ESPecter.

While investigating the first two vulnerabilities, the researchers discovered a third: an SMM memory corruption inside the SW SMI handler function (CVE-2021-3970). The vulnerability allows arbitrary read/write from /into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant. 

Smoler shared that ESET reported the vulnerabilities to Lenovo in October, and the company confirmed the vulnerabilities in November. Lenovo has a full list of affected models with active development support in an advisory on its website.