Lenovo Driver Goof Poses Security Risk for Users of 25 Notebook Models (arstechnica.com) 46
More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.
Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.
Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.
UEFI Secure Boot Not So Secure, Again (Score:1)
All it takes is a "goof". Any bets on how long before the next one pops up?
"Nobody could have predicted"... except everybody did, at the time. And the industry went ahead with this anyway. Personal liability of computer hardware and/or software designers is still unmentionable, of course. Yet it works nicely in other industries.
Just to be that guy (Score:5, Informative)
There are no Thinkpads at all on the list of impacted models. There are ThinkBOOKS, which are a different product line that as far as I can tell are consumer products with corporate branding on them.
Re: (Score:3)
Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.
If you want quality I suggest Fujitsu
Re: (Score:3, Interesting)
Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.
If you want quality I suggest Fujitsu
What are you talking about? I buy thinkpads for work all the time. They are fantastic! Affordable, RAM is socketed, NVME drive is removable. On the models I usually buy there is even a second NVME connector. Some even have AMD CPUs. An upgradable laptop in 2022 is a rare beast.
I have not see a Fujitsu laptop in the past couple of decades, my vendors don't stock them.
Re: (Score:2)
RAM is soldered on some slim models, but they are so good otherwise I tend to forgive them, hence I have an X13 currently (Ryzen 3rd gen). I also have an M1 MacBook Pro from work, and I love that it's CPU is even faster, but the X13 feels like a premium product in almost every other way (including the "feel" - magnesium > aluminium), when it was much cheaper.
I've bought a ThinkPad for all family members and friends in need - I didn't really see a decline in quality after Lenovo took over. I usually get 2
Re: (Score:2)
Damn, I wrote "it's CPU"... :( Apologies!
Re: (Score:2)
Another thing I forgot to mention - they would also claim that I invalidated my warranty by installing my own hard drive even though they officially list it as a CRU - Customer Replaceable Unit. Only by escalating the repair ticket and spending many a day to finally pass my ticket to someone senior would they acknowledge that my warranty was unaffected.
Re: (Score:2)
What was the last time you bought one? I got a made-to-order T15 by the end of last year and it's been riddled with hardware issues including two screen replacements (both gave up after a short while) and the entire system board replacement due to damaged USB bus. The good old sturdiness isn't there either. Oh, and the touchpad is malfunctioning all the time, too.
On the subject of RAM, one stick is soldered in permanently.
Re: (Score:2)
Oh, and the warranty process was a horrendous experience, too. I purchased an on-site warranty upgrade. In each of the three fault cases it took me 5 days of legal threats each to convince Lenovo to honour the warranty they sold to me. They would do everything they could to refuse an on-site repair and have me mail in my laptop for diagnostics instead, which could take anything from 14 days to a month.
Re: Just to be that guy (Score:1)
Re: (Score:2)
Nah. I had a few HP in my life and:
a) they don't survive my rough handling for long
b) the ones I had ran very hot under load
c) they don't have great Linux support
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
And decent keyboards - none of this butterfly shit - and nipple mice. What's not to love?
Lenovo did have a quality issue in the early 2010s but I feel like that's behind them now.
Definitely one of the best laptop keyboards out there right now.
Re: (Score:2)
I tend to agree, at least with Lenovo's consumer-focused models. But Fujitsu? Are they really that high of quality? As long as I can remember, they were considered an "also ran" for laptops, about equivalent with Acer.
Re: (Score:2)
Back in April, I set down my laptop bag to open the trunk of my car. I forgot to pick it back up and so managed to run over my personal, not-owned-by-work, very expensive 2022 model Thinkpad X1 Extreme.
Laptop survived. Screen didn't even crack. In my life I've seen T-series Thinkpads live through 1m drops onto concrete floors and spilled cups of coffee (sugared soda, alas, is another story).
They aren't built as well as they were 20 years ago but when I look at the Dell and HP equivalents, I still feel like
Re: (Score:2)
Re: (Score:2)
Good question. I usually just find them on eBay, I don't know where they come from originally.
Continuing insanity (Score:5, Insightful)
Please, give us (back) a PHYSICAL write enable/disable switch (for UEFI/BIOS) on the motherboard!
Re: (Score:2)
Re: (Score:2)
The article suggest that OS setting of the BIOS is rare. It is actually common (even before UEFI).
It shouldn't be common.
Re: (Score:3)
Never gonna happen, except maybe in niche products. Consumers don't care, and corporations want their systems to be remotely/automatically updateable.
Re: (Score:3)
Same old BS argument. Real security knows better. So, ship motherboards with the switch in the write-enabled position and "we" can switch it to write-disabled.
Re: (Score:2)
But that would increase their costs by three whole pennies! We can't have that. Meanwhile to flash a chromebook with a third party bootloader to run Linux you have to open the case, disconnect the battery, power it from the charger and issue the write disable command.
Re: Continuing insanity (Score:1)
Re:Continuing insanity (Score:4, Informative)
Re: (Score:2)
The article you linked says "In newer devices, we've moved away from the WP signal being controlled by a physical screw and to a separate chip controlling the WP signal." Write protect is still supposed to be under user control but it's not a physical switch.
Re: (Score:2)
While they're at it, could they also put write-protect switches on thumb drives? I don't mean those software switches that give a "suggestion" to the OS. I mean, real write-protect switches, like we used to have on every 3.5" floppy!
LOL... progress.
Re: (Score:2)
Firstly, no one would enable that on a laptop. Secondly, updates to the UEFI aren't rare, and laptops like Dell, Lenovo, etc will push them out via Windows Update. About every 3rd time Windows update runs on my machine I get a UEFI update warning "don't turn off your PC". Especially in the laptop world where a large number of accessories and power / control systems for the laptop are controlled via UEFI you do *not* want the user blindly disabling shit just to solve an incredibly low liklihood malware attac
Re: Pry my IBM Thinkpads out of my cold, dead, han (Score:2)
Re: (Score:2)
I do not know why you were modded flamebait. But I agree with all you said.
I know they can be disabled
One thing, on my W541 the only way do disable that damn touchpad is to use xinput(1) on Linux and OpenBSD when you start X. The OpenBSD one was easier to figure out. The option no longer exists in BIOS (or whatever it is now).
Re: (Score:2)
If you can take the ~10 screws out of the bottom of the laptop, it's pretty easy to just unplug the touchpad from the motherboard if you really don't like it. That'll stop the joy-nipple too, but I've found most people who hate touchpads are mouse-mandatory sorts.
Personally, one of the things I appreciate about Lenovo's touchpads is that they aren't cartoonishly large.
Re: (Score:1)
Re: (Score:2)
ThinkPad X220 is a Lenovo model, being released years after IBM sold their PC business to Lenovo in 2004. So is the X61. And they're both ancient.
Re: Pry my IBM Thinkpads out of my cold, dead, han (Score:1)
Joke is on them.... (Score:2)
I switched off "secure" boot on my Lenovo notebook, because it is not worth anything anyways. Better no sense of security, than a false one.
Windows installer (Score:2)
China risk (Score:1)
Do you mean ESET backdoored the NSA backdoor (Score:1)
Data point (Score:2)
When "oops" like this happen the signatures of the naughty drivers are blacklisted. The naughty list is here: https://uefi.org/revocationlis... [uefi.org]
The "Secure DBX update" Microsoft delivers is a signed repackage of this file distributed via Windows Update. I'm ignorant of how the installation process works though.
um, REALLY? Lenovo customers care about security? (Score:2)
1. As part of its slow motion collapse, IBM sold that product line in 2005.
2. The buyer was a "multinational company" (founded in Beijing, China) called "Lenovo"
3. The Chinese government insists that it is a communist country - probably hoping the world does not notice the blatantly obvious fact that the post-Mao leaders have transitioned to fascism instead. (Everybody is NOT sharing ownership of everything, working as hard as they can while consuming only as little as they need, etc - they are one politica