Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers disable write protection on a device's firmware and execute malicious code in the System Management Mode, a privileged operating mode of the CPU, Engadget reports. The vulnerable driver reportedly comes from common code supplied by Intel so other manufacturers could have the same flaw as well.
Lenovo issued a public response on its website in which it corroborates that the code was supplied by a third party working from common code that came from Intel, and claims it tried speaking to Oleksiuk before he published the flaw but didn’t hear back.
According to Oleksiuk, Lenovo only demanded that the vulnerability was not made public, and he further suggests in a post on GitHub that the code could have been crafted intentionally for use as a backdoor -- not necessarily by Lenovo itself but one of the companies to which Lenovo outsources the development of its custom BIOS firmware.
These companies -- or independent BIOS vendors (IBVs) -- create their own implementations from a reference specification by Intel, which is then licensed to PC manufacturers who take these implementations from IBVs and further customize them themselves. According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one of the IBVs it works with.
“Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” Lenovo said in its statement.
The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible.