Lenovo laptops have once again exposed to critical security flaws. A serious hardware vulnerability, thought to be confined to UEFI drivers in Lenovo laptops, has been found in firmware running on its motherboards. The exploit, dubbed ThinkPwn, was published earlier this week by a researcher named Dmytro Oleksiuk. Other PC vendors are also potentially vulnerable to ThinkPwn.
A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. Many new Windows security features, like Secure Boot, Virtual Secure Mode and Credential Guard, depend on the low-level firmware being locked down, the report published in Computer World states.
ThinkPwn targets a privilege escalation flaw in a Unified Extensible Firmware Interface (UEFI) driver, allowing an attacker to remove the flash write protection and to execute rogue code in the SMM (System Management Mode), a privileged operating mode of the CPU.
According to Oleksiuk, the exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits. The exploit can also defeat the Credential Guard feature of Windows 10 that uses virtualization-based security to prevent the theft of enterprise domain credentials, and do “other evil things.”
Lenovo is now investigating the issue and cooking up a fix, with the manufacturer posting an advisory which called the BIOS vulnerability an “industry-wide” issue – so we could still see further fallout from this.
Lenovo stated: “Lenovo is committed to the security of its products and is working with its IBVs and Intel to develop a fix that eliminates this vulnerability as rapidly as possible.”
The company further observed, “The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose.”
“Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” the company said in an advisory Thursday.
Lenovo has had several security problems of late, including revelations that it deliberately shipped PCs with spyware as well as easily compromised adware and other bloat preinstalled.