Adding to Lenovo's security woes, another BIOS vulnerability has been found on the vendor's PCs. According to an official statement from Lenovo, the flaw originates from one of its independent BIOS vendors and Intel so it's likely other PC manufacturers are affected as well. Here's what you need to know.
Lenovo gained unfavourable attention when it was discovered that an adware dubbed Superfish was pre-loaded onto its PCs. Then there was the incident when it was discovered that the vendor had been installing bloatware into the BIOS of its machines, which made the software difficult to remove. Both of those things were found to be security risks.
Now a new BIOS security flaw has been found by independent security researcher Dymtro Oleksiuk. According to his entry on GitHub, the bug affects all ThinkPad series laptops. It is a privileges escalation vulnerability in the SystemSmmRuntimeRt UEFI driver, specifically in the System Management Mode (SMM) code, of Lenovo's firmware:
"Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things."
Lenovo has issued an official statement on this and noted that the vulnerability in the SSM code was provided to the company by at least one independent BIOS vendors. These vendors are software development firms that help other PC makers customise BIOS firmware to be loaded on branded computers.
According to Oleksiuk, the vulnerable code was provided by chip maker Intel to independent BIOS vendors, specifically for 8-series chipsets. This means that other PC makers are likely to be affected by this. At least one person has confirmed that the flaw has been found on a HP laptop.
So far, Lenovo has not issued a fix for the security flaw but has said it's working with BIOS vendors and Intel to investigate the matter. If you own a Lenovo ThinkPad PC, you should keep an eye out for updates on the Lenovo Security Advisory.