Lenovo, HP, other OEMs hit with UEFI bug in BIOS

Security / Tech
security breach

Lenovo has definitely had some software issues on their generally high-quality hardware of late, though in this instance they aren’t the only ones affected. Security researcher Dymtro Oleksiuk located a vulnerability in the BIOS of some Lenovo computers that bypasses some aspects of Windows Security.

In his post related to the issue on Github, Oleksiuk described the issue:

The new 0day vulnerability in Lenovo firmware allows arbitrary SMM code execution on a wide range of Lenovo models and firmware versions including the most recent ones.

Exploitation of the vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things.

Lenovo has already recognized the problem and made attempts to coordinate with Oleksiuk prior to his publishing of the issue. They’ve since been researching the issue on their own, and seem to have found the source of the vulnerability. Lenovo works with several independent BIOS vendors (IBVs) to create custom BIOS builds for their hardware.

At this point, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of our Independent BIOS Vendors (IBVs). Independent BIOS vendors (IBVs) are software development firms that specialize in developing the customized BIOS firmware that is loaded into the PCs of original equipment manufacturers, including Lenovo.

The company has reached out to its various IBV partners as well as Intel in order to determine where the nefarious code came from, and what its intended functions are. As they have pointed out, other OEMs work with many of the same IBVs to create the BIOS for their hardware. With the help of Twitter, Oleksiuk was able to confirm this vulnerability across OEMs including HP and Gigabyte.

While it is always troubling to find vulnerabilities on hardware we expect to be secure, it is good to see Lenovo jumping right in to try and rectify the situation.  Oleksiuk has said he plans on creating a tool to search for this vulnerability, but no timeline has been given for its completion at this time.

What do you think about these security issues? Is there any reason to think that the IBVs are purposely including these vulnerabilities in the BIOS’ provided to the major OEMs? Give us a shout in the comment section below, or on Google+, Facebook, or Twitter.

  Source: The Inquirer
To Top