Lenovo has confirmed that reports of a critical vulnerability in the UEFI (unified extensible firmware interface) in its ThinkPad computers are accurate and it is currently investigating the problem.
Lenovo released a statement on June 30 verifying there is a vulnerability in the ThinkPad’s System Management Mode (SMM) BIOS that was introduced by one of its independent BIOS vendors. However, Lenovo hasn’t specified what range of ThinkPad models likely are affected by the vulnerability.
The UEFI is a current version of what used to be called the BIOS (basic input output system), which forms an interface between the computer hardware and the operating system, such as Microsoft Windows. The current practice is that the IBVs (independent BIOS vendors) work from reference code provided by the CPU manufacturer and then develops machine-specific code that provides the rest of the machine-specific interface.
Normally, machines using similar processors and chipsets will use the same reference code. This means that while the vulnerability could have been introduced by the IBV, it’s also possible it was introduced by Intel when it created the reference code.
The vulnerability was found by an independent security researcher Dmytro Oleksiuk, who published details on GitHub, a software development collaboration site. Oleksiuk said in his posting that the vulnerability, which he has named ThinkPwn, allows the running of arbitrary SMM code. This enables an attacker to disable Flash write protection and then allow malware infection of the platform firmware. This, in turn, allows an attacker to disable Secure Boot and Virtual Secure Mode on Windows 10.
By embedding malware in the system firmware, an attacker can avoid detection by antimalware software. Furthermore, the malware may be difficult or impossible to remove. Oleksiuk noted in his GitHub entry that the vulnerability apparently was fixed by Intel in 2014, but because there was no public announcement, the vulnerability was never removed by computer makers that were using the earlier version in their UEFI code.
Further research by Oleksiuk and others appears to indicate that Lenovo isn’t the only computer maker affected by the same bug. Independent security researcher Alex James reported in a series of Tweets that he found the same vulnerability on some HP laptop computers and in the firmware for some Gigabyte Technology motherboards.
The vulnerability was discovered so recently that the full extent of the problem is unknown. But because Intel and the independent BIOS vendors likely used similar reference code and UEFI software as much as possible, the problem is likely to be much more widespread than just the three makers that are currently known.
While Lenovo has acknowledged that the vulnerability exists, there’s more to attacking a computer than the existence of a vulnerability. At the very least, there needs to be a means of delivering it.
Firmware Flaw Affects Lenovo Thinkpads, Other PC Makers’ Hardware
For the ThinkPwn bug, the primary means of delivery needs to be a USB memory stick. Then, the computer needs to be booted from that drive before any malware can be initiated.
Analyst Jack Gold said the first thing business users should do is find out whether their anti-malware products will detect software that’s trying to perform an exploit using the vulnerability. However, Gold said that because any exploit would be running in the firmware, he suspects that current antimalware apps would not find it.
Gold also said that because any exploit would probably need to be installed on a machine via physical access to its USB port, it’s not an easy thing to do. His advice to IT managers: “Be mindful of this, stay up to date, but I wouldn’t consider this a huge risk.”
But that doesn’t mean that there’s no risk at all. Oleksiuk has said in some of his public statements that he believes it would be possible to create a malware attack that would take advantage of the ThinkPwn vulnerability. But even if the exploit could be spread through malware, that doesn’t necessarily raise the risk much.
The reason the risk is limited is because the UEFI is written specifically for each type of machine, and for an exploit to work, it would have to target this specific type as well. For this reason, a Lenovo exploit wouldn’t work on a HP laptop, even if it had the same vulnerability.
What should the computer makers do about this vulnerability? The obvious answer is they can ask their BIOS vendors to create a new UEFI package using Intel reference code written after the vulnerability was fixed and then distribute a BIOS update.
But of course it’s easy to say that a BIOS update would solve the problem, but issuing such an update can be very complex to current hardware owners. Worse, trusting individual owners to update the BIOS in their computers is a dangerous proposition. Done wrong, the result could effectively kill the computer, preventing it from ever working again.
Of more concern is Oleksiuk’s suggestion that the ThinkPwn exploit was applied in malware. While such a malware attack would be very difficult because it would require the malware to detect the type of machine it was infecting, such sophisticated malware already has been created to attack other types of vulnerabilities. This means creating such malware to attack machines with different UEFI code is possible.
While there’s no reason to panic about the possibility of malware aimed at your computers’ BIOS, you also can’t afford to drop your guard. Instead, keep in touch with Lenovo or whichever vendor builds your computers and find out if there is a vulnerability. If there is, you need to fix it as soon as possible.