Safety agency ESET stated Tuesday that it has discovered a number of UEFI vulnerabilities in a large swathe of over 100 totally different Lenovo client laptop computer fashions, which may be patched by updating the pocket book’s firmware.
The complete checklist of affected laptops contains the Ideapad-3, the Legion 5 Professional-16ACH6 H, and the Yoga Slim 9-14ITL0. ESET found the vulnerability late final yr. Lenovo then labored to develop a patch and launched it on the producer’s web site. ESET didn’t say whether or not these vulnerabilities have been actively being exploited within the wild.
Particularly, the three totally different vulnerabilities would permit an attacker to switch both the protected boot settings or the firmware itself, a change that will survive the reinstallation of the working system, ESET stated. “UEFI threats may be extraordinarily stealthy and harmful,” the agency wrote. “They’re executed early within the boot course of, earlier than transferring management to the working system, which signifies that they will bypass virtually all safety measures and mitigations larger within the stack that might forestall their OS payloads from being executed.”
A 3rd vulnerability within the SMI Handler code would permit an attacker with native entry and elevated privileges to execute arbitrary code, giving them management of the machine.
To resolve the issue, Lenovo recommends that customers navigate to the assist web site (assist.lenovo.com), which resolves to pcsupport.lenovo.com. (The laptop computer producer has addressed the vulnerability with a selected Net web page dedicated to it, the place you’ll find this in addition to supplementary data).
There, Lenovo asks that you simply take the next steps:
- Seek for your product by title or machine kind.
- Click on Drivers & Software program on the left menu panel.
- Click on on Handbook Replace to browse by Part kind.
- The final step requires that you simply discover your laptop computer’s mannequin on the checklist of affected merchandise and easily be sure that the firmware you’re downloading matches the file that Lenovo has printed.
There’s a catch, although. In line with ESET, a number of laptops impacted by the vulnerability received’t be patched as a result of they’re reaching Finish Of Improvement Assist (EODS). “This contains gadgets the place we noticed reported vulnerabilities for the primary time: Ideapad 330-15IGM and Ideapad 110-15IGR. The checklist of such EODS gadgets that we now have been in a position to determine can be out there in ESET’s vulnerability disclosures repository.”
“For these utilizing Finish Of Improvement Assist (EODS) gadgets affected by the vulnerability, with none fixes out there: one factor that may show you how to shield in opposition to undesirable modification of the UEFI Safe Boot state is utilizing a TPM-aware full-disk encryption answer able to making disk knowledge inaccessible if the UEFI Safe Boot configuration modifications,” ESET wrote.