ESET: Millions Using Lenovo Laptops Potentially Vulnerable to Malware Attacks

More than 100 models of Lenovo laptops used by millions globally contain vulnerabilities that could allow attackers to deploy and successfully execute unified extensible firmware interface (UEFI) malware.

ESET discovered the vulnerabilities and reported them to Lenovo last October. Lenovo sent us the following statement:

“Lenovo thanks ESET for bringing to our attention an issue in drivers used in the manufacturing of some consumer notebooks. The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected. Lenovo welcomes collaboration with BIOS (firmware that runs while a computer boots up) researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards.”

ESET Discovers 3 Vulnerabilities

Tony Anscombe is chief security evangelist at ESET.

ESET’s Tony Anscombe

“If the vulnerability is exploited, there is potential that the bad actor could deploy threats such as LoJax or ESPecter,” he said. “Threats such as these allow the attacker to insert malware into the boot process of the operating system, thus circumventing many of the security measures that would be in place during a normal boot process.”

Lenovo markets the vulnerable devices to consumers, Anscombe said.

“However, small businesses or organizations that have less stringent rules on device types may be using consumer devices in a business environment,” he said. “All Lenovo users should check if their device is on the list.”

The first two of these vulnerabilities affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Attackers can disable SPI flash protections or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime.

The third vulnerability allows arbitrary read/write from/into the special memory range (SMRAM). That can lead to the execution of malicious code with system management mode (SMM) privileges and potentially lead to the deployment of an SPI flash implant.

Extremely Stealthy and Dangerous

Martin Smolár is the ESET researcher who discovered the vulnerabilities in Lenovo laptops.

ESET’s Martin Smolár

“UEFI threats can be extremely stealthy and dangerous,” he said. “Our discovery demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected.”

Threats can bypass almost all security measures and mitigations higher in the stack, according to ESET. It also appears that UEFI vulnerabilities are growing, and that bad actors are aware of this.

Ray Steen is chief strategy officer of MainSpring, a Washington, D.C., area managed IT service provider. He said Lenovo isn’t the first vendor to include “out-of-the-box” security vulnerabilities in its products. This leaves “countless workstations” susceptible to firmware-level attacks.

“In recent years, software and hardware supply chains have been sources of escalating risk, reminding us that cybersecurity cannot be an afterthought in the modern business environment,” he said.

Now more than ever, organizations need support from C-level cybersecurity professionals like CIOs and virtual CIOs, Steen said. They can evaluate vendors for security practices, implement patches and more.