Chinese manufacturer Lenovo has left critical security flaws in more than 100 consumer laptop models. Millions of computers are affected. But fixes are available.
The case seems incredible. But it is nevertheless true and even now official: Lenovo has left several critical security flaws lying around in laptop PCs mainly intended for the general public. The most impressive thing is that more than 100 models are affected by this astonishing problem, which in practice represents millions of vulnerable computers worldwide! Almost all of the Chinese manufacturer’s ranges are affected, from inexpensive IdeaPads to Legion series gaming PCs, including Yoga-type convertibles and Slim family ultraportables (see the complete list lower).
These are the researchers ofESET, a company specializing in computer security, who discovered the flaws several months ago. As they explain in great detail in their online report published on April 19, 2022, three vulnerabilities have been identified. Referenced CVE-2021-3971 and CVE-2021-3972, the first two relate to an issue with UEFI, the low-level software housed in SPI (non-volatile) flash memory that interfaces between firmware (the firmware that manages the “physical” functions of the motherboard ) and the operating system (Windows in this case). By exploiting them, an attacker could deploy and execute malicious code and disable both SPI chip protection and UEFI’s Secure Boot feature, all before the operating system’s security systems even enter. in action. Not bad ! The third vulnerability, dubbed CVE-2021-3970for its part, allowed a local attacker to execute arbitrary code with elevated privileges on the PC.
Backdoors forgotten in over 100 Lenovo laptops
The most surprising in the story is that these vulnerabilities are not due to a banal programming error (a bug), but to a stupid oversight. Indeed, backdoors (backdoors, in English) with explicit names (SecureBackDoor, SecureBackDoorPeim, ChgBootDxeHook, ChgBootSmm) are voluntarily integrated into the UEFI drivers by Lenovo for internal needs during PC production. They are in principle only used during the manufacturing process. But, for some obscure reason, the manufacturer did not deactivate them before marketing… Nerd!
ESET alerted Lenovo to its discovery on October 11, 2021, and the manufacturer, which acknowledged the flaws on November 17, has since corrected the problem by releasing new UEFI drivers. Here is the official list compiled by Lenovo in his newsletter released April 19, 2022, with all affected model names and links to support pages to download patches. If you have a registered laptop, quickly check that the UEFI is up to date!