Lenovo Driver Goof Poses Security Risk for Users of 25 Notebook Models

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

UEFI Secure Boot Not So Secure, Again

[Anonymous Coward]

All it takes is a "goof". Any bets on how long before the next one pops up?

"Nobody could have predicted"... except everybody did, at the time. And the industry went ahead with this anyway. Personal liability of computer hardware and/or software designers is still unmentionable, of course. Yet it works nicely in other industries.

Just to be that guy

[slaker]

There are no Thinkpads at all on the list of impacted models. There are ThinkBOOKS, which are a different product line that as far as I can tell are consumer products with corporate branding on them.

Re:

[drinkypoo]

Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.

If you want quality I suggest Fujitsu

Re:

[Major_Disorder]

Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.

If you want quality I suggest Fujitsu

What are you talking about? I buy thinkpads for work all the time. They are fantastic! Affordable, RAM is socketed, NVME drive is removable. On the models I usually buy there is even a second NVME connector. Some even have AMD CPUs. An upgradable laptop in 2022 is a rare beast.

I have not see a Fujitsu laptop in the past couple of decades, my vendors don't stock them.

Re:

[Ecuador]

RAM is soldered on some slim models, but they are so good otherwise I tend to forgive them, hence I have an X13 currently (Ryzen 3rd gen). I also have an M1 MacBook Pro from work, and I love that it's CPU is even faster, but the X13 feels like a premium product in almost every other way (including the "feel" - magnesium > aluminium), when it was much cheaper.
I've bought a ThinkPad for all family members and friends in need - I didn't really see a decline in quality after Lenovo took over. I usually get 2

Re:

[Ecuador]

Damn, I wrote "it's CPU"... :( Apologies!

Re:

[devslash0]

Another thing I forgot to mention - they would also claim that I invalidated my warranty by installing my own hard drive even though they officially list it as a CRU - Customer Replaceable Unit. Only by escalating the repair ticket and spending many a day to finally pass my ticket to someone senior would they acknowledge that my warranty was unaffected.

Re:

[devslash0]

What was the last time you bought one? I got a made-to-order T15 by the end of last year and it's been riddled with hardware issues including two screen replacements (both gave up after a short while) and the entire system board replacement due to damaged USB bus. The good old sturdiness isn't there either. Oh, and the touchpad is malfunctioning all the time, too.

On the subject of RAM, one stick is soldered in permanently.

Re:

[devslash0]

Oh, and the warranty process was a horrendous experience, too. I purchased an on-site warranty upgrade. In each of the three fault cases it took me 5 days of legal threats each to convince Lenovo to honour the warranty they sold to me. They would do everything they could to refuse an on-site repair and have me mail in my laptop for diagnostics instead, which could take anything from 14 days to a month.

Re: Just to be that guy

[Numlock586]

try hp, i had good experiences with this product. it let me choose win 10 or win11. yes i know i have a win11 pc. i sat and thought about this. reason for this is if something needed win11 i could use this

Re:

[devslash0]

Nah. I had a few HP in my life and:
a) they don't survive my rough handling for long
b) the ones I had ran very hot under load
c) they don't have great Linux support

Re:

[Major_Disorder]

Can't buy HP. The last HP laptop I had would not boot with a replacement wifi card. The original card sucked I wanted to upgrade, and it would just stop the boot process if you put a non HP wifi card in the machine. Just stops with a message saying "Unsupported wireless card" or something like that. (I have seen this on several different HP laptops.)

Re:

[Mr. Esterhouse]

I agree 100%. Our company is currently using Dell's which are absolute shit! The Latitude 7420 model, that we still have 600 brand new in the depot, is the worst laptop I have ever seen. 1 in 10 have an issue. We are switching to Lenovo and already got our test models and man are they leaps and bounds better.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Major_Disorder]

And decent keyboards - none of this butterfly shit - and nipple mice. What's not to love?

Lenovo did have a quality issue in the early 2010s but I feel like that's behind them now.

Definitely one of the best laptop keyboards out there right now.

Re:

[King_TJ]

I tend to agree, at least with Lenovo's consumer-focused models. But Fujitsu? Are they really that high of quality? As long as I can remember, they were considered an "also ran" for laptops, about equivalent with Acer.

Re:

[slaker]

Back in April, I set down my laptop bag to open the trunk of my car. I forgot to pick it back up and so managed to run over my personal, not-owned-by-work, very expensive 2022 model Thinkpad X1 Extreme.

Laptop survived. Screen didn't even crack. In my life I've seen T-series Thinkpads live through 1m drops onto concrete floors and spilled cups of coffee (sugared soda, alas, is another story).

They aren't built as well as they were 20 years ago but when I look at the Dell and HP equivalents, I still feel like

Re:

[mistergrumpy]

I had several Fujitsu machines 10+ years ago and thought they were great. Where do you get them nowadays? I've seen some European sources, but no US.

Re:

[drinkypoo]

Good question. I usually just find them on eBay, I don't know where they come from originally.

Continuing insanity

[srg33]

Please, give us (back) a PHYSICAL write enable/disable switch (for UEFI/BIOS) on the motherboard!

Re:

[paulfm]

The article suggest that OS setting of the BIOS is rare. It is actually common (even before UEFI). Most people run firmware updates from the OS. Dell has for many years supplied a program that you can use to set all the BIOS settings on your Dell machine (they even have one that runs under Linux - the good thing is you have to have the BIOS password to use it or update the bios firmware). Unfortunately, UEFI allows the OS to set the boot order even if the BIOS password is set. So - yes (instead of a swit

Re:

[phantomfive]

The article suggest that OS setting of the BIOS is rare. It is actually common (even before UEFI).

It shouldn't be common.

Re:

[bws111]

Never gonna happen, except maybe in niche products. Consumers don't care, and corporations want their systems to be remotely/automatically updateable.

Re:

[srg33]

Same old BS argument. Real security knows better. So, ship motherboards with the switch in the write-enabled position and "we" can switch it to write-disabled.

Re:

[ArchieBunker]

But that would increase their costs by three whole pennies! We can't have that. Meanwhile to flash a chromebook with a third party bootloader to run Linux you have to open the case, disconnect the battery, power it from the charger and issue the write disable command.

Re: Continuing insanity

[Numlock586]

thing that bugs me is that more and more everything is automatic and user control is less and less. and when something happens that doesnt go the way the user wanted. i guess its like driverless cars. do u trust it.

Re:Continuing insanity

[codebase7]

Don't worry, Google already did. [googlesource.com] Says a lot about your company / industry when even the world's biggest advertising company gives the device owner control over their firmware as an expectation.

Re:

[jaa101]

The article you linked says "In newer devices, we've moved away from the WP signal being controlled by a physical screw and to a separate chip controlling the WP signal." Write protect is still supposed to be under user control but it's not a physical switch.

Re:

[Waccoon]

While they're at it, could they also put write-protect switches on thumb drives? I don't mean those software switches that give a "suggestion" to the OS. I mean, real write-protect switches, like we used to have on every 3.5" floppy!

LOL... progress.

Re:

[thegarbz]

Firstly, no one would enable that on a laptop. Secondly, updates to the UEFI aren't rare, and laptops like Dell, Lenovo, etc will push them out via Windows Update. About every 3rd time Windows update runs on my machine I get a UEFI update warning "don't turn off your PC". Especially in the laptop world where a large number of accessories and power / control systems for the laptop are controlled via UEFI you do *not* want the user blindly disabling shit just to solve an incredibly low liklihood malware attac

Re: Pry my IBM Thinkpads out of my cold, dead, han

[flyingfsck]

Sounds like you could use an abacus.

Re:

[jmccue]

I do not know why you were modded flamebait. But I agree with all you said.

I know they can be disabled

One thing, on my W541 the only way do disable that damn touchpad is to use xinput(1) on Linux and OpenBSD when you start X. The OpenBSD one was easier to figure out. The option no longer exists in BIOS (or whatever it is now).

Re:

[slaker]

If you can take the ~10 screws out of the bottom of the laptop, it's pretty easy to just unplug the touchpad from the motherboard if you really don't like it. That'll stop the joy-nipple too, but I've found most people who hate touchpads are mouse-mandatory sorts.

Personally, one of the things I appreciate about Lenovo's touchpads is that they aren't cartoonishly large.

Re:

[MIPSPro]

I like the size of those old Thinkpads, in general. The ultralight X-series are awesome from that era with @12" screens. They had netbook sizes with full-laptop capabilities and CPU grunt. Of course, they are aging now. That X230 I think had a touchpad which is probably like what you are describing. It was like someone tried to add it without making the laptop deck all huge like the modern laptops; the edge of the pad wrapped around the deck. The X230 also allowed you to disable the trackpad in BIOS but the

Re:

[MachineShedFred]

ThinkPad X220 is a Lenovo model, being released years after IBM sold their PC business to Lenovo in 2004. So is the X61. And they're both ancient.

Re: Pry my IBM Thinkpads out of my cold, dead, han

[Numlock586]

im with you

Joke is on them....

[gweihir]

I switched off "secure" boot on my Lenovo notebook, because it is not worth anything anyways. Better no sense of security, than a false one.

Windows installer

[algaeman]

The firmware installer for my laptop is a Windows executable, so it cannot be updated without using an insecure OS.

China risk

[DarmokandJalad]

I've excluded Lenovo from my computer purchasing since they took over IBM's PC business. Every company in China is a de facto extension of the Chinese Communist Party. The software used in Hisense TVs, Lenovo PCs, Hikvision cameras, and OnePlus Phones are all subject to government spying should the party deem it necessary. While the same risks exist in western nations, I prefer governments that protect human rights and do not encourage industrial espionage as national policy.

Do you mean ESET backdoored the NSA backdoor

[terrorubic]

Do you mean ESET backdoored the NSA backdoor?

Data point

[ElizabethGreene]

When "oops" like this happen the signatures of the naughty drivers are blacklisted. The naughty list is here: https://uefi.org/revocationlis... [uefi.org]

The "Secure DBX update" Microsoft delivers is a signed repackage of this file distributed via Windows Update. I'm ignorant of how the installation process works though.

um, REALLY? Lenovo customers care about security?

[tiqui]

1. As part of its slow motion collapse, IBM sold that product line in 2005.

2. The buyer was a "multinational company" (founded in Beijing, China) called "Lenovo"

3. The Chinese government insists that it is a communist country - probably hoping the world does not notice the blatantly obvious fact that the post-Mao leaders have transitioned to fascism instead. (Everybody is NOT sharing ownership of everything, working as hard as they can while consuming only as little as they need, etc - they are one politica