TechSpot

Critical security flaw found in Lenovo PCs, others might be affected too

By Jos
Jul 4, 2016
Post New Reply
  1. Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers disable write protection on a device's firmware and execute malicious code in the System Management Mode, a privileged operating mode of the CPU, Engadget reports. The vulnerable driver reportedly comes from common code supplied by Intel so other manufacturers could have the same flaw as well.

    Lenovo issued a public response on its website in which it corroborates that the code was supplied by a third party working from common code that came from Intel, and claims it tried speaking to Oleksiuk before he published the flaw but didn’t hear back.

    According to Oleksiuk, Lenovo only demanded that the vulnerability was not made public, and he further suggests in a post on GitHub that the code could have been crafted intentionally for use as a backdoor -- not necessarily by Lenovo itself but one of the companies to which Lenovo outsources the development of its custom BIOS firmware.

    These companies -- or independent BIOS vendors (IBVs) -- create their own implementations from a reference specification by Intel, which is then licensed to PC manufacturers who take these implementations from IBVs and further customize them themselves. According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one of the IBVs it works with.

    “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” Lenovo said in its statement.

    The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible.

    Permalink to story.

     
  2. Theinsanegamer

    Theinsanegamer TS Guru Posts: 371   +323

    They outsource their own BIOS? Seriously? That's just plain lazy.
     
  3. ikesmasher

    ikesmasher TS Evangelist Posts: 2,555   +861

    Don't most manufacturers do that?
     
  4. Theinsanegamer

    Theinsanegamer TS Guru Posts: 371   +323

    Does that somehow make it not lazy?
     
  5. psycros

    psycros TS Evangelist Posts: 1,320   +709

    If there were any kind of trail to follow I can guarantee you it would lead back to either the US or Chinese governments.
     
  6. MoeJoe

    MoeJoe TS Maniac Posts: 399   +207

    LeNONO failed it.
     
  7. Daverk

    Daverk TS Rookie

    We need to know asap
     
  8. Camikazi

    Camikazi TS Maniac Posts: 817   +231

    A Chinese company putting in a back door for a non-Chinese government? Not unless they want to lose their heads.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...