In addition, while investigating above mentioned vulnerable drivers, we discovered the third vulnerability: SMM memory corruption inside the SW SMI handler function ( CVE-2021-3970). As it turned out, their functionality was even more interesting and could be abused to disable UEFI Secure Boot ( CVE-2021-3972).
#LENOVO PCI SERIAL PORT DRIVER WINDOWS 7 INFO DRIVERS#
After some initial analysis, we discovered other Lenovo drivers sharing a few common characteristics with the SecureBackDoor* drivers: ChgBootDxeHook and ChgBootSmm.
These drivers immediately caught our attention by their very unfortunate (but surprisingly honest) names: SecureBackDoor and SecureBackDoorPeim. To understand how we were able to find these vulnerabilities, consider the firmware drivers affected by CVE‑2021-3971.
It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malwareĮSET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models.
0 kommentar(er)
