Back to Home

Lenovo fixed vulnerabilities in the firmware of their computers / ESET NOD32's blog

lenovo security

Lenovo fixed vulnerabilities in the firmware of its computers

    Lenovo fixed two important vulnerabilities in the system software of its computers. Vulnerabilities are fixed by updating LEN-9903 ( Intel ME protection not set on some Lenovo Notebook and ThinkServer systems ) and LEN-8327 ( Microsoft Device Guard protection bypass ). The first vulnerability with the identifier CVE-2016-8222 is the incorrect configuration of the Lenovo Intel chipset system mechanism - Intel Management Engine on some ThinkServer laptops and computers.


    The second vulnerability with the identifier CVE-2016-8222 is somewhat similar to the previously known ThinkPwn vulnerability, which we already wrote about here . The vulnerability could allow an attacker to overwrite important BIOS system variables and call the SMM services of the microprocessor operating mode, i.e. at the privilege level minus the second ring (-2).

    Technology Intel Management Engine (ME) has recently been written several times, including on habrahabr. Briefly speaking, this is a whole hardware and software subsystem from Intel in the chipset, which allows you to control a computer, including remotely, regardless of the OS, and also whether the computer is currently running or not. Intel ME uses system resources in its work, including some regions of physical memory and hardware functions of devices. At the same time, these resources used by Intel ME should be appropriately blocked from external influences, for example, by an attacker who wants to modify Intel ME configuration parameters in order to run his code at the highest minus third (-3) level of microprocessor privileges. That's the kind of protection for the region of physical memory that Lenovo forgot to install initially.

    The vulnerability is of type Local Privilege Escalation (LPE) and could allow an attacker to obtain the highest level of privileges minus the third ring (-3)

    The Intel Management Engine (ME) is a set of hardware features developed by Intel that enable administrators to manage, repair and protect computers on their networks. During the manufacturing process, a setting is configured on the manufacturing line that locks regions of memory used by the ME and prevents them from being reconfigured. Lenovo has discovered that this protection was not enabled on certain Lenovo systems.

    The LEN-9903 update is addressed to the following Lenovo laptops.

    • 110-14IBR / 110-15IBR
    • B70-80, E31-80, E40-80, E41-80, E51-80, G40-80, G50-80, G50-80 Touch
    • Ideapad 300-14IBR / 300-15IBR, Ideapad 300-14ISK / 300-15ISK / 300-17ISK, Ideapad 510S-12ISK
    • K21-80, K41-80
    • MIIX 710-12IKB, XiaoXin Air 12
    • YOGA 510-14ISK / 510-15ISK, YOGA 710-11IKB, Yoga 710-11ISK, Yoga 900-13ISK, YOGA 900S-12ISK

    The ThinkServer TS150 and ThinkServer TS450 servers are also subject to upgrade.

    The second vulnerability is present in one of the ThinkPad laptop UEFI firmware drivers and allows an attacker who has already received high administrator rights in the system to go down minus the second (-2) ring to run his code in SMM mode.

    A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability.
    This vulnerability could allow an attacker to bypass Microsoft Device Guard protections for systems running Windows 10.

    In turn, the compromise of the SMM microprocessor operation mode allows the attacker to compromise such protective Windows 10 technologies that work using the virtualization mechanism as Device Guard and Credential Guard. Since the virtualization subsystem runs on the -1 privilege ring, it will not be difficult for SMM code to bypass its security mechanism.

    We recommend that users install the appropriate updates.

    image
    be secure.

    Read Next