ESET said more than 100 different laptop models and millions of users worldwide may be affected. The vulnerabilities would allow attackers to deploy and execute UEFI malware in the form of a flash implant like LoJax or UEFI bootkit.
ESET reported all discovered vulnerabilities to Lenovo in October 2021 and Lenovo has software updates available to address the issues. Lenovo published a list of firmware updates to address the vulnerabilities on March 12. Lenovo did not respond to messages seeking comment by press time.
“UEFI threats can be extremely stealthy and dangerous,” Martin Smolár, an ESET researcher who discovered the threats, said in a statement. “They are executed early in the boot process before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed.”
He added, “Our discovery demonstrates that in some cases deployment of the UEFI threats might not be as difficult as expected and the larger amount of real-world UEFI threats discovered in the last several years suggests that adversaries are aware of this.”
ESET said the first two of the vulnerabilities affect UEFI firmware drivers originally meant for Lenovo’s manufacturing process only. ESET said they were mistakenly included in the notebooks on BIOS images without being deactivated and left those machines vulnerable. A third threat was found to be an SMM memory corruption that would allow arbitrary read/write from/into SMRAM, with can lead to the execution of malicious code, the company said.
“All of the real-world UEFI threats discovered in the last years—Lojax, MosaicRegressor, Moonbounce, ESPecter, Finspy—needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” Smolár wrote. ESET explained that hackers could use the vulnerability to implant malicious software on the SPI flash, a small memory chip located on the computer’s motherboard and normally protected by BIOS Control Register.
Tony Anscombe, chief security evangelist at ESET, explained that the BIOS system is a particularly vulnerable target because even removing the hard drive doesn’t address the security threat. “If a cybercriminal could get access to the device, they could disable a lot of the security mechanisms that are on the device,” he said. “And of course that makes the whole system more vulnerable to attacks. So it’s important that a consumer actually goes and checks if that device is on the list and if it is, that they actually do update their firmware.”
Anscombe said ESET in the past has uncovered vulnerabilities that have affected billions of devices. “So, this is a lot, but in perspective, we’ve seen bigger cases of vulnerabilities,” he said. “And this is software-level. And let’s be clear: No software is perfect. However much you test it, sometimes there are vulnerabilities.”
ESET said threats can be executed early in the boot process, bypassing almost all security measures and the only fix is to update the firmware.