This ain’t anything new but Lenovo is yet again under fire for its security practices. A security researcher has discovered a UEFI bug that exposes Lenovo(and possibly other vendor) machines to arbitrary System Management Mode(SMM) code execution, rendering Windows’ basic security protocols useless.
According to researcher Dmytro Oleksiuk aka Cr4sh, the erroneous code exploits the 0day privileges escalation vulnerability in Lenovo’s BIOS. This bug allows users to exploit the flash write protection, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard on most Windows Enterprise powered Lenovo PCs. And this is just a small list of possible evil things that can be executed using this vulnerability.
The vulnerability is present in most ThinkPad Series laptops, ranging from the newest T450s to the oldest X220s. The faulty firmware drivers seems to have been copy-and-pasted by the PC-manufacturer using data supplied by Intel. Though it is still uncertain whether the vulnerable code is available in the public, but it has already been detected in another HP laptop dating back to 2010.
Yep, found SmmRuntimeManagementCallback() function in HP dv7 4087cl (from ~2010, HM55) with Insyde EFI pic.twitter.com/M5jrsrAO8d
— alex (@al3xtjames) July 2, 2016
Cr4sh further reports that the public repository holding the basic code never had this vulnerability to start with. And even if there was a vulnerability in the heavily modified version supplied to OEM’s, Intel has reportedly fixed it back in 2014. So, there’s still confusion over the existence of the aforementioned vulnerability, which drives us to think whether it had been introduced there on purpose. There is some discussion whether the company has purposefully introduced a backdoor into the PCs to make it easier for FBI to snoop on the users.
Lenovo’s Statement
Lenovo in its blogpost states it is fully-aware of the BIOS vulnerability located in the SMM code that impacts certain ThinkPad devices. The company also writes that it had tried making contact with the Dymtro to collaborate on solving the vulnerability, but in vain.
OEM’s like Lenovo hire the services of Independent BIOS vendors(IBV’s) to help develop a customized BIOS firmware that is loaded into its PCs. The company is now pinning the introduction of the code vulnerability on one such IBV, who work on writing code atop the common code base created by chip vendors.
Hiding in plain sight, the company is trying to throw some shade to the chip’s code manufacturer Intel, who provided the common base code in the first place. It further adds that it is unaware of the intended purpose of the embedded code and is looking into identifying the original author. The Tech giant is also looking at phasing-out any other vulnerabilities in the BIOS software.
Lenovo is committed to the security of its products and is working with its IBVs and Intel to develop a fix that eliminates this vulnerability as rapidly as possible.
Cr4sh, on his Github, details the step-by-step process for seeking out the vulnerable code on your own PC. So, go ahead and check if your PC is secure or not!