CATEGORIES
home News

Lenovo Rocked By Critical BIOS Vulnerability, Fingers Point To Shoddy Intel Reference Code

by Brandon HillMonday, July 04, 2016, 06:41 PM EDT

Lenovo is finding itself embroiled in yet another security scandal, and this time it revolves around the BIOS used in many of its PC systems. According to security researcher Dmytro Oleksiuk (aka Cr4sh), the vulnerability lies in the SystemSmmRuntimeRt UEFI driver component of Lenovo’s firmware. Oleksiuk claims that the exploit is present in every ThinkPad machine dating back as far as the X220 and as recently as the T450s.

The vulnerability can allow a malicious party to run System Management Mode code on a machine, granting the ability to not only disable flash write protection, but also Secure Boot. It’s also possible to bypass the Virtual Secure Mode (VSM) that is used by Windows 10 Enterprise.

ThinkPad X220

So how exactly did this exploit pass under Lenovo’s nose without it sniffing out something funky? Well, Lenovo claims that one of its Independent BIOS Vendors (IBVs) developed the BIOS installed on its ThinkPad machines, and that the IBV simply copy/pasted reference code straight from Intel (which is common practice). However, the vulnerability was not detected until Oleksiuk started snooping around.

Lenovo is understandably a bit peeved about the disclosure of this gaping hole in its security, writing, “Shortly after the researcher stated over social media that he would disclose a BIOS-level vulnerability in Lenovo products, Lenovo PSIRT made several unsuccessful attempts to collaborate with the researcher in advance of his publication of this information.”

Lenovo also tries to duck responsibility, instead shifting partial blame to both the IBV and Intel, which provided the original code that was copied:

The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.

Since this code originated from Intel and was implemented by likely more than one IBV, it’s highly likely that Lenovo isn’t the only OEM that’s susceptible to this particular attack vector. Lenovo is simply an easy target since it’s been caught with its hands in the cookie jar before, but we could possibly see more wide-scale fallout from this disclosure in the coming weeks and months. As you can see in this tweet below, at least one HP machine (2010 vintage) is affected.

Tags:  Intel, Lenovo, BIOS, UEFI
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment