Menu
Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads

A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. Many new Windows security features, like Secure Boot, Virtual Secure Mode and Credential Guard, depend on the low-level firmware being locked down.

The exploit, dubbed ThinkPwn, was published earlier this week by a researcher named Dmytro Oleksiuk, who did not share it with Lenovo in advance. This makes it a zero-day exploit -- an exploit for which there is no patch available at the time of its disclosure.

ThinkPwn targets a privilege escalation flaw in a Unified Extensible Firmware Interface (UEFI) driver, allowing an attacker to remove the flash write protection and to execute rogue code in the SMM (System Management Mode), a privileged operating mode of the CPU.

According to Oleksiuk, the exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits; to defeat the Credential Guard feature of Windows 10 that uses virtualization-based security to prevent the theft of enterprise domain credentials, and to do "other evil things."

The UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. However, implementations can still vary considerably between computer manufacturers.

The reference specification provided by CPU and chipset vendors like Intel and AMD is used by a small number of independent BIOS vendors (IBVs) to create their own implementations which are then licensed to PC manufacturers. The PC vendors take these implementations from IBVs and further customize them themselves.

According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one IBV that hasn't been named.

"Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code," the company said in an advisory Thursday.

The full scope of the problem has not yet been determined as the vulnerability might also affect other vendors aside from Lenovo. In the ThinkPwn notes on GitHub, Oleksiuk said that it appears the vulnerability existed in the Intel reference code for its 8-series chipsets, but was fixed sometime in 2014.

"There's a high possibility that old Intel code with this vulnerability is currently present in firmware of other OEM/IBV vendors," the researcher said.

The Lenovo advisory also hints that this might be a more widespread issue, by listing the scope of impact as "industry-wide."

The ThinkPwn exploit is implemented as an UEFI application that needs to be executed from a USB flash drive by using the UEFI shell. This requires physical access to the targeted computer, which limits the kind of attackers who could use it.

However, Oleksiuk said that with more effort it would be possible to exploit the vulnerability from inside the running operating system, which means that it could be targeted through malware.

There are past examples where malware injected malicious code into the UEFI for increased persistence and stealth. For example, Italian surveillance software maker Hacking Team had a UEFI rootkit in its arsenal.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags security

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments