14 DAY TRIAL // Dmytro Oleksiuk, an independent security researcher, has released details about an unpatched UEFI firmware zero-day that's currently confirmed to affect some versions of Lenovo and HP laptops.
Oleksiuk initially discovered the issue pestering Lenovo ThinkPad laptops but said that, in theory, many other OEMs might be affected as well. One of Oleksiuk's followers later learned that some HP laptops were also impacted by the same problem.
UEFI zero-day can alter firmware code, disable Windows security measures
The issue resides in the source code of System Management Mode (SMM) module that's part of various UEFI firmware packages. The researcher explained he created an exploit that leverages this vulnerable code to disable UEFI write protections and alter the device's firmware.
Additionally, he could also disable the Secure Boot option and even Windows 10 built-in security settings such as Device Guard or credential Guard.
The exploit code, named ThinkPwn, works on the level of the UEFI shell, which can be accessed at boot time. Oleksiuk adds that, in theory, the code could be modified to run at the OS level, something that malware authors could incorporate inside their malicious code.
Vulnerability resides in firmware IBV code
In a statement on its website, Lenovo said that the issue doesn't reside in the UEFI code added by its engineers, but on top of the IBV code provided by Intel. IBV stands for Independent BIOS Vendor and is a package of ready-made code that's integrated inside BIOS and UEFI (an evolution of BIOS firmware code) to ensure inter-compatibility with other device components.
The issue appears to be an old one, which Intel engineers had apparently fixed in 2014, but has made its way in the UEFI distributions of various OEMs.
"Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose," Lenovo explains. "But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."
Oleksiuk revealed the exploit on his blog, after informing Lenovo of the issue, and also published proof-of-concept code on GitHub. There's currently no fix available for this issue, neither from Lenovo or HP.