PC maker Lenovo has addressed yet one more set of three shortcomings within the Unified Extensible Firmware Interface (UEFI) firmware affecting a number of Yoga, IdeaPad, and ThinkBook gadgets.
“The vulnerabilities permit disabling UEFI Safe Boot or restoring manufacturing facility default Safe Boot databases (incl. dbx): all merely from an OS,” Slovak cybersecurity agency ESET defined in a sequence of tweets.
UEFI refers to software program that acts as an interface between the working system and the firmware embedded within the machine’s {hardware}. As a result of UEFI is accountable for launching the working system when a tool is powered on, it has made the know-how a horny possibility for menace actors trying to drop malware that is troublesome to detect and take away.
Considered in that mild, the failings, tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, could possibly be abused by an adversary to show off Safe Boot, a safety mechanism that is designed to stop malicious applications from loading in the course of the boot course of.
Lenovo’s advisory describes the vulnerabilities as follows –
- CVE-2022-3430: A possible vulnerability within the WMI Setup driver on some client Lenovo Pocket book gadgets might permit an attacker with elevated privileges to change Safe Boot setting by modifying an NVRAM variable.
- CVE-2022-3431: A possible vulnerability in a driver used in the course of the manufacturing course of on some client Lenovo Pocket book gadgets that was mistakenly not deactivated might permit an attacker with elevated privileges to change Safe Boot setting by modifying an NVRAM variable.
- CVE-2022-3432: A possible vulnerability in a driver used in the course of the manufacturing course of on the IdeaPad Y700-14ISK that was mistakenly not deactivated might permit an attacker with elevated privileges to change Safe Boot setting by modifying an NVRAM variable.
In different phrases, disabling the UEFI Safe Boot makes it potential for menace actors to execute rogue boot loaders, granting the attackers privileges entry to the compromised hosts.
ESET stated the vulnerabilities weren’t lapses within the supply code per se, however relatively got here into being as a result of the “drivers have been meant for use solely in the course of the manufacturing course of however have been mistakenly included within the manufacturing.”
The newest replace marks the third time Lenovo has moved to patch flaws in its UEFI firmware, all of which have been found and reported by ESET researcher Martin Smolár.
Whereas the primary set of points (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) may have permitted dangerous actors to deploy and execute firmware implants on the affected gadgets, the second batch (CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892) could possibly be weaponized to realize arbitrary code execution and disable safety features.
Lenovo stated it doesn’t intend to launch fixes for CVE-2022-3432 owing to the truth that the mannequin in query has reached end-of-life (EoL). Customers of the opposite impacted gadgets are really helpful to replace their firmware to the most recent model.
