ESET researchers have identified and analyzed three vulnerabilities affecting various models of Lenovo laptops.
The first two – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers, originally intended for use only in Lenovo’s consumer laptop manufacturing process. Unfortunately, they were erroneously included in production BIOS images without proper deactivation.
An attacker can enable these firmware drivers to directly disable SPI flash protection or the UEFI secure boot feature from a privileged user mode process.
The third vulnerability, CVE-2021-3970, allows arbitrary reads/writes from/to SMRAM, which could lead to malicious code executing with SMM privileges and potentially lead to the deployment of an SPI flash implant.
The problem is that the vulnerabilities affect more than a hundred different models of Lenovo laptops. Given the company’s sales, we are talking about millions of laptops in the hands of users.
ESET specialists reported Lenovo’s own vulnerabilities back in October. At the same time, some models will not receive any patches, because their support period has expired. For example, these are Ideapad 330-15IGM and Ideapad 110-15IGR.