Zeroday leak in UEFI driver may affect more laptops than ThinkPads
A zero-day leak in a UEFI driver used by Lenovo for its ThinkPad laptops may also be exploitable on laptops from other manufacturers. The vulnerable code comes from a third-party software vendor, according to Lenovo, and may have been distributed by Intel itself.
The vulnerability was discovered by security researcher Dmytro Oleksiuk, who publishes an exploit on Github. The vulnerability resides in a uefi driver and allows the flash memory to be written by bypassing its security. After that, an attacker can freely script through System Management Mode, a deep management layer with high access levels normally only accessible to the CPU.
That way you can disable Secure Boot and bypass its security features like Virtual Secure Mode and Credential Guard on Windows 10 Enterprise. The researcher has named his exploit ThinkPwn. A patch is not yet available, but the researcher has released the leak anyway, saying he says “his purpose is to share information.” He considers the chance that the exploit will be abused publicly is very small.
Comments on his blog point out that part of the vulnerability appears to be based on a bug in Intel’s reference code. Intel would have fixed this in 2014, but there is a chance that the makers of uefi software have not yet processed the fix.
Lenovo’s Product Security Incident Response Team is aware of the vulnerability and states that multiple attempts to partner with Oleksiuk have failed. According to Lenovo, the vulnerable System Management Mode code was provided by “at least one of four independent BIOS vendors.”
Lenovo is now working with the UEFI software companies and Intel on new versions of the driver to fix the problem. It is not known which systems from other manufacturers are affected. The Register references a tweet from someone with an HP Pavilion dv7 containing the bug, a laptop from 2010.