Usually, third-party UEFI drivers, applications and OPROMS are being verified, while the drivers on the SPI flash "are implicitly considered trusted". Secure boot uses databases to determine the trusted components. Its main purpose is to verify boot component integrity to ensure that components are allowed to be executed. Secure Boot is part of the UEFI specification. Attackers may exploit the security issue for various tasks, including the disabling of Secure Boot on the device. Among them are the UEFI Secure Boot state or the ability to restore factory settings. The vulnerability CVE-2021-3972 gives attackers control over several UEFI firmware settings. SMM, System Management Mode, is used for various tasks, including the secure updating of a device's firmware or the execution of proprietary code by OEMs.ĮSET notes that any Windows administrator, with the SE_SYSTEM_ENVIRONMENT_NAME privilege, may exploit the vulnerability using the "Windows API function SetFirmwareEnvironmentVariable". The attacked system allows SPI flash to be modified, even when executed from non-SMM code, resulting in attackers being able to write malicious code directly to the firmware storage. With the variable set, the platform's firmware will skip the execution of code that is "responsible for the setting up BIOS Control Register and Protected Range register-based SPI flash protections". Successful exploitation disables SPI flash write protections. The primary line of defense is "provided by the special memory-mapped configuration registers exposed by the chipset itself – the BIOS Control Register and five Protected Range registers".ĬVE-2021-3971 may be exploited by creating the NVRAM variable. Manufacturers created several security mechanisms to protect the SPI flash against unauthorized modifications. Malwares such as LOJAX, the first UEFI rootkit found in the wild, MosaicRegressor, or MoonBounce, targeted the memory in attacks. Since it is non-volatile, it is a high-level target for threat actors. An administrator could erase a device's hard drive, install another operating system, and the memory would not be changed by the procure. The memory is independent of the operating system, which means that it remains even if the operating system is reinstalled or another system is installed. It is connected to the processor via the Serial Peripheral Interface (SPI). UEFI firmware is usually stored on the in an embedded flash memory chip on the computer's motherboard. The vulnerability CVE-2021-3971 can be exploited to disable SPI protections on Lenovo devices. Lenovo published the security advisory on April 18 and ESET its findings and details a day later. Lenovo confirmed the vulnerabilities in November 2021 and requested a postponing of the public disclosure date to April 2022. Security company ESET reported the vulnerabilities to Lenovo in October 2021.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |