Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Scrambling To Get a Fix For BIOS Vulnerability (theregister.co.uk)

Posted by msmash on from the security-woes dept.

Richard Chirgwin, reporting for The Register: Lenovo, and possibly other PC vendors, are exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can "disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise." The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. He writes that the SystemSmmRuntimeRt was copied from Intel reference code. Lenovo complains in its advisory that it tried to make contact with Oleksiuk before he published the vulnerability. The company says the vulnerable System Management Mode software came from an upstream BIOS vendor -- making it likely that other vendors getting BIOS software from the same outlet will also be vulnerable. There's also a hint that Lenovo agrees with a speculation by Oleksiuk, that the code may be an intentional backdoor: "Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."

3 of 59 comments (clear)

  1. Executing code in a input buffer? yeah, suck it up by freax · · Score: 4, Informative

    You asked for it Lenovo and/or Intel. This turns an incoming buffer into a funciton pointer and executes arbitrary incoming code:

    v3 = *(VOID **)(CommunicationBuffer + 0x20);
    v4 = CommunicationBuffer;
    *(v3 + 0x8)(*(VOID **)v3, &dword_AD002290, CommunicationBuffer + 0x18);

    That's moron. You asked for it. Now suck it up. Apologize to the world for creating a obvious backdoor.

    I'm quite sure it won't be the only one coming from Intel's headquarters. And yes, security-researchers will keep digging them up and expose them. Forever.

  2. Re:NSA Strikes Again! by AJWM · · Score: 4, Informative

    "Once is an accident. Twice is coincidence. Three times is enemy action."

          -- Ian Fleming

    We're way past three.

    --
    -- Alastair
  3. Re:Just win10? Or Linux as well? by Anonymous Coward · · Score: 2, Informative

    It even works from raw UEFI - https://github.com/Cr4sh/ThinkPwn