Posting on GitHub, Dymtro “Cr4sh” Oleksiuk said he discovered a Unified Extensible Firmware Interface (UEFI) bug in Lenovo’s ThinkPad System Management Mode (SMM) that would allow an attacker to bypass Windows’ security protocols.
“Exploitation of the vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things,” claimed Oleksiuk.
This all stems from a common code from Intel allegedly provided by independent BIOS vendors (IBVs), which is where Lenovo appears to be placing the blame, but it added in its security advisory that the investigation is ongoing.
The company stated that it knows this vulnerable code was provided by “at least one” IBV. Lenovo works with three IBVs but it did not specify beyond that or give names.
“Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs,” read the advisory.
What’s important to note here is that IBVs work with a number of computer makers. While Oleksiuk said that he found this flaw in more than one Lenovo laptop he tested, it’s very much possible the flaw exists in other PC brands too.
“Lenovo is blaming it’s [sic] IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products,” Oleksiuk tweeted. Shortly afterwards another Twitter user responded with a claim that he had found the same vulnerability in a HP computer that shipped in 2010.
https://twitter.com/al3xtjames/status/749063556486791168
In its statement, Lenovo took issue with Oleksiuk publishing his findings before having any contact with its own team. The statement said Lenovo made “several unsuccessful attempts” to reach out to and collaborate with the researcher before he went public.
For now, a fix is in the works. “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” it said.
As of this writing no other PC makers have commented on the reported vulnerability.
