CVE-2021-3970, CVE-2021-3971, CVE-2021-3972: Lenovo UEFI Firmware Vulnerabilities

CVE-2021-3970

Security company ESET discovered 3 new vulnerabilities in the UEFI firmware of Lenovo laptops which affected hundreds of Lenovo models including Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops. Attackers can use the vulnerability to implant malicious software in flash memory. Lenovo has fixed the vulnerability, so ESET disclosed the details of the vulnerability.

These two drivers are called SecureBackDoor and SecureBackDoorPeim, respectively. “SecureBackDoor is a DXE driver responsible for deactivating SPI flash protections if it finds a HOB identified by SECURE_BACKDOOR_HOB_GUID in the HOB list.” “SecureBackDoorPeim is a PEI module responsible for both reading the content of the UEFI variable cE!, which belongs to the namespace LENOVO_BACKDOOR_NAMESPACE_GUID, and preparing the correct HOB data structure to pass its value to the SecureBackDoor DXE phase driver.”

The three vulnerability numbers are CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, of which CVE-2021-3971 and CVE-2021-3972 are located in the two drivers of UEFI software. These two drivers were originally only used in the manufacturing process of Lenovo’s consumer laptops, but I don’t know why they are also present in the shipped laptops after production is completed.
The CVE-2021-3970 vulnerability is in System Management Mode (SMM) and can be mainly used for privilege escalation.

The following vulnerabilities were reported in Lenovo Notebook BIOS.

  • CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
  • CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
  • CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

The researchers say that the two drivers can be launched by an attacker, and then switch the SPI flash protection mechanism and UEFI secure boot function in privileged mode when the operating system is executed. This means that attackers can escalate privileges, modify NVRAM, and deploy and infiltrate malicious programs in SPI or EFI system partitions or ESPs. This type of UEFI rookit can achieve long-term latency and be difficult to detect.

The above vulnerabilities were discovered in October last year. ESET notified Lenovo of the vulnerabilities in time. I don’t know why it took Lenovo half a year to complete the repair. At present, Lenovo has issued a security bulletin to remind users to update as soon as possible. Hundreds of Lenovo laptops are affected by the above-mentioned vulnerabilities.