Lenovo Scrambling To Get a Fix For BIOS Vulnerability

Richard Chirgwin, reporting for The Register: Lenovo, and possibly other PC vendors, are exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can "disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise." The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. He writes that the SystemSmmRuntimeRt was copied from Intel reference code. Lenovo complains in its advisory that it tried to make contact with Oleksiuk before he published the vulnerability. The company says the vulnerable System Management Mode software came from an upstream BIOS vendor -- making it likely that other vendors getting BIOS software from the same outlet will also be vulnerable. There's also a hint that Lenovo agrees with a speculation by Oleksiuk, that the code may be an intentional backdoor: "Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."

Re:You know what flashing a BIOS secure?

They can flash all they want... but that jumper is both less work and much more secure. You can point to it and check that it's put right. Software can much more easily lie, much more easily than poorly visible traces on a multi-layer pcb. Crypto is cute and all that, but all it does in UEFI/"SecureBoot" is take away control, without actually bringing any security to the end user. That puts the whole thing firmly in the "make-work for the end-user" (and another nice little consulteering racket for the security consulteering rackets industry) category.

You can't even complain you didn't know: It's implied in the terminology already. What is an "Advanced Persistent Threat" other than some vague danger you have no choice but to continue paying your favourite "computer security provider" over to keep at bay? "Vague But Nagging Danger That Keeps On Costing You Whatever You Do" is a much more accurate description. Thus more apt than APT, though not as snappily short. It's what you get for taking "convenient" shortcuts.

Re:You know what flashing a BIOS secure?

[PsychoSlashDot]

I liked it better when I had to move a jumper before I could flash the BIOS in a machine. That was really quite secure against post-shipment BIOS modification.

A good thought but it doesn't work so well when you've got hundreds or thousands of remotely supported systems scattered over the city/country/continent/planet.

Of course, I also can't think of the last time I flashed the BIOS in any of my systems, which makes me wonder why the hell we ever got away from ROMs in the first place...

You know this article is about shitty code, right? Well, I can tell you that the BIOS being shipped these days is shitty in more ways than this. If you have enough machines out there, you will sooner or later encounter something strange that involves a bug in firmware. From a mouse/printer/USB-vibrator to the latest DVI/HDMI/DisplayPort monitor, sooner or later you'll plug something in and it won't work as advertised. Or something that used to work stops working because... reasons. Basically, if you accept that there are firmware updates for motherboards, you should accept that there are reasons for them existing, even if you haven't needed them.

And don't get me started on the shitty code in server firmwares.

Most commercial systems (Dell, Lenovo, HP) they're bugfixes. Most consumer systems (Asus, Gigabyte, etc) they're updating support for processor microcode or memory module compatibility or whatever.