Menu
Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads

A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. Many new Windows security features, like Secure Boot, Virtual Secure Mode and Credential Guard, depend on the low-level firmware being locked down.

The exploit, dubbed ThinkPwn, was published earlier this week by a researcher named Dmytro Oleksiuk, who did not share it with Lenovo in advance. This makes it a zero-day exploit -- an exploit for which there is no patch available at the time of its disclosure.

ThinkPwn targets a privilege escalation flaw in a Unified Extensible Firmware Interface (UEFI) driver, allowing an attacker to remove the flash write protection and to execute rogue code in the SMM (System Management Mode), a privileged operating mode of the CPU.

According to Oleksiuk, the exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits; to defeat the Credential Guard feature of Windows 10 that uses virtualization-based security to prevent the theft of enterprise domain credentials, and to do "other evil things."

The UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. However, implementations can still vary considerably between computer manufacturers.

The reference specification provided by CPU and chipset vendors like Intel and AMD is used by a small number of independent BIOS vendors (IBVs) to create their own implementations which are then licensed to PC manufacturers. The PC vendors take these implementations from IBVs and further customize them themselves.

According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one IBV that hasn't been named.

"Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code," the company said in an advisory Thursday.

The full scope of the problem has not yet been determined as the vulnerability might also affect other vendors aside from Lenovo. In the ThinkPwn notes on GitHub, Oleksiuk said that it appears the vulnerability existed in the Intel reference code for its 8-series chipsets, but was fixed sometime in 2014.

"There's a high possibility that old Intel code with this vulnerability is currently present in firmware of other OEM/IBV vendors," the researcher said.

The Lenovo advisory also hints that this might be a more widespread issue, by listing the scope of impact as "industry-wide."

The ThinkPwn exploit is implemented as an UEFI application that needs to be executed from a USB flash drive by using the UEFI shell. This requires physical access to the targeted computer, which limits the kind of attackers who could use it.

However, Oleksiuk said that with more effort it would be possible to exploit the vulnerability from inside the running operating system, which means that it could be targeted through malware.

There are past examples where malware injected malicious code into the UEFI for increased persistence and stealth. For example, Italian surveillance software maker Hacking Team had a UEFI rootkit in its arsenal.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags security

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments