Lenovo has issued a security advisory on vulnerabilities that affect its Unified Extensible Firmware Interface (UEFI) which is loaded on nearly 100 of its laptop models. The affected laptops include the IdeaPad 3, Legion 5 Pro, and Yoga Slim.
Three Vulnerabilities Affecting Lenovo Laptops Revealed
Researchers at ESET, an internet security company, had discovered three vulnerabilities that impact the UEFI Secure Boot feature, which allows the system to only load code trusted by the Original Equipment Manufacturer (OEM) when it boots. These threats were relayed to Lenovo back in October 2021.
The laptop maker acknowledged these issues and assigned the following three CVEs (Common Vulnerabilities and Exposures)—CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. Additionally, it published a security advisory regarding the same on Monday.
Subscribe to OnsitegoGet the latest technology news, reviews, and opinions on tech products right into your inbox
CVE-2021-3971 (SecureBackDoor), and CVE-2021-3972 (ChgBootDxeHook) lets malicious actors switch off the protection for the SPI flash memory chip where the UEFI firmware is stored. This disables the UEFI Secure Boot feature. These vulnerabilities were introduced when two UEFI firmware drivers were accidentally included in the firmware. These drivers are typically used only while manufacturing the laptop. These security issues passed by undetected by security software since they execute early on in the boot process, even before the operating system is loaded.
Protect Your Laptop with Onsitego's Extended Warranty
- Extends Manufacturer's Warranty
- Covers Malfunctions & Breakdowns
- Free, At-Home Service
The third security vulnerability has been labelled as CVE-2021-3970 (LenovoVariableSmm). Once the attacker gains entry into the system, they will be able to execute arbitrary code with elevated privileges.
How To Protect Your Lenovo Laptop
You can check if your Lenovo laptop is affected by the security vulnerabilities here. To protect your Lenovo laptop from the aforementioned vulnerabilities, the company recommends users of affected devices to update their system firmware to the latest version. Lenovo’s support page has step-by-step instructions on downloading the latest firmware. Owners of laptops that have reached End of Development Support (EODS) can use a TPM-aware full-disk encryption to make disk data inaccessible to security threats.