Menu
Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads

A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. Many new Windows security features, like Secure Boot, Virtual Secure Mode and Credential Guard, depend on the low-level firmware being locked down.

The exploit, dubbed ThinkPwn, was published earlier this week by a researcher named Dmytro Oleksiuk, who did not share it with Lenovo in advance. This makes it a zero-day exploit -- an exploit for which there is no patch available at the time of its disclosure.

ThinkPwn targets a privilege escalation flaw in a Unified Extensible Firmware Interface (UEFI) driver, allowing an attacker to remove the flash write protection and to execute rogue code in the SMM (System Management Mode), a privileged operating mode of the CPU.

According to Oleksiuk, the exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits; to defeat the Credential Guard feature of Windows 10 that uses virtualization-based security to prevent the theft of enterprise domain credentials, and to do "other evil things."

The UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. However, implementations can still vary considerably between computer manufacturers.

The reference specification provided by CPU and chipset vendors like Intel and AMD is used by a small number of independent BIOS vendors (IBVs) to create their own implementations which are then licensed to PC manufacturers. The PC vendors take these implementations from IBVs and further customize them themselves.

According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one IBV that hasn't been named.

"Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code," the company said in an advisory Thursday.

The full scope of the problem has not yet been determined as the vulnerability might also affect other vendors aside from Lenovo. In the ThinkPwn notes on GitHub, Oleksiuk said that it appears the vulnerability existed in the Intel reference code for its 8-series chipsets, but was fixed sometime in 2014.

"There's a high possibility that old Intel code with this vulnerability is currently present in firmware of other OEM/IBV vendors," the researcher said.

The Lenovo advisory also hints that this might be a more widespread issue, by listing the scope of impact as "industry-wide."

The ThinkPwn exploit is implemented as an UEFI application that needs to be executed from a USB flash drive by using the UEFI shell. This requires physical access to the targeted computer, which limits the kind of attackers who could use it.

However, Oleksiuk said that with more effort it would be possible to exploit the vulnerability from inside the running operating system, which means that it could be targeted through malware.

There are past examples where malware injected malicious code into the UEFI for increased persistence and stealth. For example, Italian surveillance software maker Hacking Team had a UEFI rootkit in its arsenal.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments