A research team at ESET, the Slovak internet security company behind NOD32 antivirus, discovered three dangerous vulnerabilities in Lenovo laptops.
The three UEFI security flaws were assigned the names, CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, and were reported to Lenovo on October 11, 2021 and the company has released patches for the affected devices, following the full disclosure in April.
The first flaw allowed attackers local access to a system with elevated privileges, due to, "A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models."
The second flaw was the result of outdated drivers, which Lenovo used during the manufacturing phase but included them in the system BIOS, by mistake. This once again allowed attackers high-level local access to a system, by letting them modify the firmware protection region.
The final flaw was the result of another oversight. Lenovo accidentally failed to deactivate early manufacturing phase drivers, which allowed attackers to modify the secure boot settings of a system.
Martin Smolar, a researcher at ESET, said that, "We reported all discovered vulnerabilities to Lenovo on October 11th, 2021. Altogether, the list of affected devices contains more than one hundred different consumer laptop models with millions of users worldwide, from affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05."
The full list of model names is available here, along with instructions on how to update your drivers and BIOS, to stay secure.Besides the models on the list, there are also older, legacy devices affected by the flaws but they won't receive fixes due to them reaching EODS or End of Development Support. These models are listed here.