"Lenovo Patches ThinkPad, Yoga, IdeaPad UEFI Secure Boot Vulnerability"

Lenovo has issued patches to address two vulnerabilities that could have allowed cybercriminals to run malicious code by deactivating Unified Extensible Firmware Interface (UEFI) Secure Boot. According to researchers at ESET, the high-severity vulnerabilities tracked as CVE-2022-3430 and CVE-2022-3431, could allow threat actors to bypass the basic security functions of a victim's operating system if exploited. The vulnerabilities impact 25 devices across the ThinkBook, Yoga, and IdeaPad lines, though not all of them are affected by both vulnerabilities. Because these devices are widely used in business settings, employees may be affected by the flaw, and sensitive data may be compromised. The flaw, which exists within a driver in the affected devices, lets attackers change a variable in Non-Volatile Random Access Memory (NVRAM) to alter a device's secure boot setting. This was not due to an error in the affected drivers' code but rather to the affected devices being equipped with drivers intended for use only during manufacturing, with relaxed control over secure boot settings from within the operating system. UEFI flaws are serious because they allow threat actors to change critical device processes and potentially install malware in the victim's flash memory. Threat actors could exploit such a flaw to install a rootkit, carrying out malicious activity while remaining undetected and even surviving operating system reinstallation. According to John Goodacre, director of the UKRI's Digital Security by Design challenge and professor of computer architectures at the University of Manchester, secure boot is built on a hierarchy of trust typically rooted in technologies fixed in a device's hardware. Such systems are used to ensure that, even if a vulnerability is exploited during normal system operation, the system can be recovered by rebooting. As a result, it is critical that a system's secure boot cannot be changed while it is in normal operation. However, all software should be considered vulnerable, so it is critical that no mechanisms can evade secure boot during normal operation. This article continues to discuss Lenovo patching high-severity vulnerabilities affecting 25 laptop models.

ITPro reports "Lenovo Patches ThinkPad, Yoga, IdeaPad UEFI Secure Boot Vulnerability"