Three vulnerabilities have been discovered in the UEFI firmware of several Lenovo notebooks.
Tracked CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432, the flaws have been found by security researchers at ESET and affect various Lenovo Yoga, IdeaPad and ThinkBook devices.
The first of the vulnerabilities is a flaw in the WMI Setup driver, which may allow an attacker with elevated privileges to modify secure boot settings by changing a non-volatile random access memory (NVRAM) variable.
The CVE-2022-3431 and CVE-2022-3432, on the other hand, are vulnerabilities in a driver that was mistakenly not deactivated during the manufacturing process and may also allow an attacker with elevated privileges to modify secure boot settings by changing an NVRAM variable.
“While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders [...] to bypass Secure Boot while keeping it enabled,” the company wrote in a series of Twitter posts.
“As in our previous discovery [...], current vulnerabilities weren’t caused by flaws in the code. The affected drivers were meant to be used only during the manufacturing process but were mistakenly included in the production.”
ESET has confirmed it reported the flaws to Lenovo, which promptly released a patch for the majority of them.
“For those using one of the affected devices, we highly recommend updating to the latest firmware version. To see if you are affected by these vulnerabilities and for the firmware update instructions, visit Lenovo Advisory.”
The advisory details mitigation strategies for all three vulnerabilities but clarifies that for CVE-2022-3432, the Ideapad Y700-14ISK has reached end-of-development support, and no fixes will be released.
“Lenovo recommends customers adopt secure computing practices, including active system lifecycle management,” the company wrote.
The advisory comes weeks after Intel confirmed the alleged leak of its Alder Lake BIOS/UEFI source code that had apparently been posted on 4chan and Github.