The UEFI firmware used in several laptops made by Lenovo is vulnerable to three buffer overflow vulnerabilities that could enable attackers to hijack the startup routine of Windows installations.
Lenovo has issued a security advisory disclosing three medium severity vulnerabilities tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892.
The first is an issue in the ReadyBootDxe driver used in some Lenovo notebook products, while the last two are buffer overflow bugs in the SystemLoadDefaultDxe driver.
This second driver is used in the Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540, and S940 Lenovo lines, affecting over 70 individual models.
For more information on the impacted models, check out Lenovo’s product impact table at the bottom of the security advisory.
According to ESET, whose analysts discovered the three bugs and reported them to Lenovo, an attacker could leverage them to hijack the OS execution flow and disable security features.
“These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable,” explains ESET Research in a tweet.
“An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”
To help the cybersecurity community identify and fix similar issues, ESET submitted code improvements to Binarly’s UEFI firmware analyzer ‘efiXplorer,’ which is freely available on GitHub.
Hijacking the OS
UEFI firmware attacks are extremely dangerous because they enable threat actors to run malware early in an operating system’s boot process, even before Windows built-in security protections are activated.
This early level of access allows the malware to bypass or disable OS-level security protections, evade detection, and persist even after a disk is formatted.
While low-skilled remote actors can’t easily exploit these flaws, more capable hackers with access (malware or hands-on) to a targeted machine could leverage the vulnerabilities for silent yet ultra-powerful compromises.
To address the security risk, users of the affected devices are recommended to download the latest available driver version for their products which can be found on Lenovo’s official software download portal.
If you have trouble determining what model you’re using, Lenovo offers an automatic online detector that you can use instead.