Security research, Dymtro Oleksiuk, has uncovered a flaw in Lenovo machines which affects the BIOS, leaving systems vulnerable to attack. Lenovo's Product Security Incident Response Team (PSIRT) is now aware of the UEFI vulnerability which it says was reported as part of an uncoordinated disclosure by Oleksiuk.
Lenovo PSIRT claims that it made several attempts to contact Oleksiuk after he stated over social media that he would disclose the UEFI-level vulnerability in Lenovo's products. Following this, Lenovo conducted its own investigation:
“The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.”
Following the Lenovo announcement, Oleksiuk took to Github to say that the vulnerability was actually fixed by Intel in the middle of 2014 but didn't issue any public advisories. Although it was fixed, UEFI firmware is sometimes slow to be updated so the vulnerable code could linger around on many devices, for a while.
What's worse is that this was quickly confirmed to not be limited to Lenovo ThinkPads as originally thought. The flaw was discovered in code used by Gigabyte motherboards, HP systems and more.
The exploit can disable the write protection of firmware, meaning that Windows security features, such as Secure Boot, can be disabled. Embarrassingly for Lenovo in its security advisory, it says that the severity of the bug is “high” and that the scope of impact is “industry-wide”. Lenovo is working with Intel and other IBVs to fix the issue as quickly as it can. The only good news is that an attacker would need physical access to a device before deploying ThinkPwn.