Moneycontrol PRO
Upcoming Webinar:Watch a panel of experts discuss: Challenges of continuously evolving regulation for Cryptocurrency, on 7th July at 3pm. Register Now
you are here: HomeNewsTechnology

ESET discovers UEFI firmware vulnerabilities in Lenovo laptops

ESET says the security flaw impacts one hundred different models, and around a million users worldwide

April 20, 2022 / 02:56 PM IST
(Image: Lenovo Legion gaming laptop)

(Image: Lenovo Legion gaming laptop)

A research team at ESET, the Slovak internet security company behind NOD32 antivirus, discovered three dangerous vulnerabilities in Lenovo laptops.

The three UEFI security flaws were assigned the names, CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, and were reported to Lenovo on October 11, 2021 and the company has released patches for the affected devices, following the full disclosure in April.

Also Read: China securities regulator orders Lenovo to fix information disclosures

The first flaw allowed attackers local access to a system with elevated privileges, due to, "A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models."

The second flaw was the result of outdated drivers, which Lenovo used during the manufacturing phase but included them in the system BIOS, by mistake. This once again allowed attackers high-level local access to a system, by letting them modify the firmware protection region.


The final flaw was the result of another oversight. Lenovo accidentally failed to deactivate early manufacturing phase drivers, which allowed attackers to modify the secure boot settings of a system.

Martin Smolar, a researcher at ESET, said that, "We reported all discovered vulnerabilities to Lenovo on October 11th, 2021. Altogether, the list of affected devices contains more than one hundred different consumer laptop models with millions of users worldwide, from affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05."

Also Read: Lenovo Legion 7 Review: A masterstroke on no-compromise gaming

The full list of model names is available here, along with instructions on how to update your drivers and BIOS, to stay secure.

Besides the models on the list, there are also older, legacy devices affected by the flaws but they won't receive fixes due to them reaching EODS or End of Development Support. These models are listed here.
Moneycontrol News
ISO 27001 - BSI Assurance Mark