Critical security flaw found in Lenovo PCs, others might be affected too

By Jos ยท 7 replies
Jul 4, 2016
Post New Reply
  1. Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers disable write protection on a device's firmware and execute malicious code in the System Management Mode, a privileged operating mode of the CPU, Engadget reports. The vulnerable driver reportedly comes from common code supplied by Intel so other manufacturers could have the same flaw as well.

    Lenovo issued a public response on its website in which it corroborates that the code was supplied by a third party working from common code that came from Intel, and claims it tried speaking to Oleksiuk before he published the flaw but didn’t hear back.

    According to Oleksiuk, Lenovo only demanded that the vulnerability was not made public, and he further suggests in a post on GitHub that the code could have been crafted intentionally for use as a backdoor -- not necessarily by Lenovo itself but one of the companies to which Lenovo outsources the development of its custom BIOS firmware.

    These companies -- or independent BIOS vendors (IBVs) -- create their own implementations from a reference specification by Intel, which is then licensed to PC manufacturers who take these implementations from IBVs and further customize them themselves. According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one of the IBVs it works with.

    “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” Lenovo said in its statement.

    The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible.

    Permalink to story.

  2. Theinsanegamer

    Theinsanegamer TS Evangelist Posts: 864   +878

    They outsource their own BIOS? Seriously? That's just plain lazy.
  3. ikesmasher

    ikesmasher TS Evangelist Posts: 3,000   +1,320

    Don't most manufacturers do that?
  4. Theinsanegamer

    Theinsanegamer TS Evangelist Posts: 864   +878

    Does that somehow make it not lazy?
  5. psycros

    psycros TS Evangelist Posts: 1,877   +1,297

    If there were any kind of trail to follow I can guarantee you it would lead back to either the US or Chinese governments.
  6. MoeJoe

    MoeJoe TS Guru Posts: 712   +382

    LeNONO failed it.
  7. Daverk

    Daverk TS Rookie

    We need to know asap
  8. Camikazi

    Camikazi TS Evangelist Posts: 925   +284

    A Chinese company putting in a back door for a non-Chinese government? Not unless they want to lose their heads.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...