Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads

A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. Many new Windows security features, like Secure Boot, Virtual Secure Mode and Credential Guard, depend on the low-level firmware being locked down.

The exploit, dubbed ThinkPwn, was published earlier this week by a researcher named Dmytro Oleksiuk, who did not share it with Lenovo in advance. This makes it a zero-day exploit -- an exploit for which there is no patch available at the time of its disclosure.

ThinkPwn targets a privilege escalation flaw in a Unified Extensible Firmware Interface (UEFI) driver, allowing an attacker to remove the flash write protection and to execute rogue code in the SMM (System Management Mode), a privileged operating mode of the CPU.

According to Oleksiuk, the exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits; to defeat the Credential Guard feature of Windows 10 that uses virtualization-based security to prevent the theft of enterprise domain credentials, and to do "other evil things."

The UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification. However, implementations can still vary considerably between computer manufacturers.

The reference specification provided by CPU and chipset vendors like Intel and AMD is used by a small number of independent BIOS vendors (IBVs) to create their own implementations which are then licensed to PC manufacturers. The PC vendors take these implementations from IBVs and further customize them themselves.

According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in the implementation provided to the company by at least one IBV that hasn't been named.

"Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code," the company said in an advisory Thursday.

The full scope of the problem has not yet been determined as the vulnerability might also affect other vendors aside from Lenovo. In the ThinkPwn notes on GitHub, Oleksiuk said that it appears the vulnerability existed in the Intel reference code for its 8-series chipsets, but was fixed sometime in 2014.

"There's a high possibility that old Intel code with this vulnerability is currently present in firmware of other OEM/IBV vendors," the researcher said.

The Lenovo advisory also hints that this might be a more widespread issue, by listing the scope of impact as "industry-wide."

The ThinkPwn exploit is implemented as an UEFI application that needs to be executed from a USB flash drive by using the UEFI shell. This requires physical access to the targeted computer, which limits the kind of attackers who could use it.

However, Oleksiuk said that with more effort it would be possible to exploit the vulnerability from inside the running operating system, which means that it could be targeted through malware.

There are past examples where malware injected malicious code into the UEFI for increased persistence and stealth. For example, Italian surveillance software maker Hacking Team had a UEFI rootkit in its arsenal.

Join the PC World newsletter!

Error: Please check your email address.

Tags security

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?