Hundreds Of Lenovo Laptop Models Face Security Issues Due To UEFI Flaws

Last Updated on April 22, 2022 by Anu Joy

Lenovo has issued a security advisory on vulnerabilities that affect its Unified Extensible Firmware Interface (UEFI) which is loaded on nearly 100 of its laptop models. The affected laptops include the IdeaPad 3, Legion 5 Pro, and Yoga Slim.

Three Vulnerabilities Affecting Lenovo Laptops Revealed

Researchers at ESET, an internet security company, had discovered three vulnerabilities that impact the UEFI Secure Boot feature, which allows the system to only load code trusted by the Original Equipment Manufacturer (OEM) when it boots. These threats were relayed to Lenovo back in October 2021.

The laptop maker acknowledged these issues and assigned the following three CVEs (Common Vulnerabilities and Exposures)—CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. Additionally, it published a security advisory regarding the same on Monday.

CVE-2021-3971 (SecureBackDoor), and CVE-2021-3972 (ChgBootDxeHook) lets malicious actors switch off the protection for the SPI flash memory chip where the UEFI firmware is stored. This disables the UEFI Secure Boot feature. These vulnerabilities were introduced when two UEFI firmware drivers were accidentally included in the firmware. These drivers are typically used only while manufacturing the laptop. These security issues passed by undetected by security software since they execute early on in the boot process, even before the operating system is loaded.

The third security vulnerability has been labelled as CVE-2021-3970 (LenovoVariableSmm). Once the attacker gains entry into the system, they will be able to execute arbitrary code with elevated privileges.

How To Protect Your Lenovo Laptop

You can check if your Lenovo laptop is affected by the security vulnerabilities here. To protect your Lenovo laptop from the aforementioned vulnerabilities, the company recommends users of affected devices to update their system firmware to the latest version. Lenovo’s support page has step-by-step instructions on downloading the latest firmware. Owners of laptops that have reached End of Development Support (EODS) can use a TPM-aware full-disk encryption to make disk data inaccessible to security threats.