Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Lenovo Driver Goof Poses Security Risk for Users of 25 Notebook Models (arstechnica.com) 46

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. From a report: At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates for 25 models, including ThinkPads, Yoga Slims, and IdeaPads. Vulnerabilities that undermine the UEFI secure boot can be serious because they make it possible for attackers to install malicious firmware that survives multiple operating system reinstallations.

Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of code to run when virtually any modern machine is turned on, it's the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove. Typical measures such as wiping the hard drive and reinstalling the OS have no meaningful impact because the UEFI infection will simply reinfect the computer afterward. ESET said the vulnerabilities -- tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 -- "allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS." Secure boot uses databases to allow and deny mechanisms. The DBX database, in particular, stores cryptographic hashes of denied keys. Disabling or restoring default values in the databases makes it possible for an attacker to remove restrictions that would normally be in place.

This discussion has been archived. No new comments can be posted.

Lenovo Driver Goof Poses Security Risk for Users of 25 Notebook Models

Comments Filter:
  • by Anonymous Coward

    All it takes is a "goof". Any bets on how long before the next one pops up?

    "Nobody could have predicted"... except everybody did, at the time. And the industry went ahead with this anyway. Personal liability of computer hardware and/or software designers is still unmentionable, of course. Yet it works nicely in other industries.

  • Just to be that guy (Score:5, Informative)

    by slaker ( 53818 ) on Thursday November 10, 2022 @11:21AM (#63041065)

    There are no Thinkpads at all on the list of impacted models. There are ThinkBOOKS, which are a different product line that as far as I can tell are consumer products with corporate branding on them.

    • Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.

      If you want quality I suggest Fujitsu

      • Re: (Score:3, Interesting)

        Don't worry, they are all consumer products. Lenovo has turned the most reputable laptop line on the planet into just another pile of Chinesium crap.

        If you want quality I suggest Fujitsu

        What are you talking about? I buy thinkpads for work all the time. They are fantastic! Affordable, RAM is socketed, NVME drive is removable. On the models I usually buy there is even a second NVME connector. Some even have AMD CPUs. An upgradable laptop in 2022 is a rare beast.

        I have not see a Fujitsu laptop in the past couple of decades, my vendors don't stock them.

        • by Ecuador ( 740021 )

          RAM is soldered on some slim models, but they are so good otherwise I tend to forgive them, hence I have an X13 currently (Ryzen 3rd gen). I also have an M1 MacBook Pro from work, and I love that it's CPU is even faster, but the X13 feels like a premium product in almost every other way (including the "feel" - magnesium > aluminium), when it was much cheaper.
          I've bought a ThinkPad for all family members and friends in need - I didn't really see a decline in quality after Lenovo took over. I usually get 2

          • by Ecuador ( 740021 )

            Damn, I wrote "it's CPU"... :( Apologies!

          • Another thing I forgot to mention - they would also claim that I invalidated my warranty by installing my own hard drive even though they officially list it as a CRU - Customer Replaceable Unit. Only by escalating the repair ticket and spending many a day to finally pass my ticket to someone senior would they acknowledge that my warranty was unaffected.

        • What was the last time you bought one? I got a made-to-order T15 by the end of last year and it's been riddled with hardware issues including two screen replacements (both gave up after a short while) and the entire system board replacement due to damaged USB bus. The good old sturdiness isn't there either. Oh, and the touchpad is malfunctioning all the time, too.

          On the subject of RAM, one stick is soldered in permanently.

        • Oh, and the warranty process was a horrendous experience, too. I purchased an on-site warranty upgrade. In each of the three fault cases it took me 5 days of legal threats each to convince Lenovo to honour the warranty they sold to me. They would do everything they could to refuse an on-site repair and have me mail in my laptop for diagnostics instead, which could take anything from 14 days to a month.

          • try hp, i had good experiences with this product. it let me choose win 10 or win11. yes i know i have a win11 pc. i sat and thought about this. reason for this is if something needed win11 i could use this
            • Nah. I had a few HP in my life and:
              a) they don't survive my rough handling for long
              b) the ones I had ran very hot under load
              c) they don't have great Linux support

            • Can't buy HP. The last HP laptop I had would not boot with a replacement wifi card. The original card sucked I wanted to upgrade, and it would just stop the boot process if you put a non HP wifi card in the machine. Just stops with a message saying "Unsupported wireless card" or something like that. (I have seen this on several different HP laptops.)
        • I agree 100%. Our company is currently using Dell's which are absolute shit! The Latitude 7420 model, that we still have 600 brand new in the depot, is the worst laptop I have ever seen. 1 in 10 have an issue. We are switching to Lenovo and already got our test models and man are they leaps and bounds better.
        • Comment removed based on user account deletion
          • And decent keyboards - none of this butterfly shit - and nipple mice. What's not to love?

            Lenovo did have a quality issue in the early 2010s but I feel like that's behind them now.

            Definitely one of the best laptop keyboards out there right now.

      • by King_TJ ( 85913 )

        I tend to agree, at least with Lenovo's consumer-focused models. But Fujitsu? Are they really that high of quality? As long as I can remember, they were considered an "also ran" for laptops, about equivalent with Acer.

      • by slaker ( 53818 )

        Back in April, I set down my laptop bag to open the trunk of my car. I forgot to pick it back up and so managed to run over my personal, not-owned-by-work, very expensive 2022 model Thinkpad X1 Extreme.

        Laptop survived. Screen didn't even crack. In my life I've seen T-series Thinkpads live through 1m drops onto concrete floors and spilled cups of coffee (sugared soda, alas, is another story).

        They aren't built as well as they were 20 years ago but when I look at the Dell and HP equivalents, I still feel like

      • I had several Fujitsu machines 10+ years ago and thought they were great. Where do you get them nowadays? I've seen some European sources, but no US.
  • by srg33 ( 1095679 ) on Thursday November 10, 2022 @11:26AM (#63041079)

    Please, give us (back) a PHYSICAL write enable/disable switch (for UEFI/BIOS) on the motherboard!

    • by paulfm ( 552273 )
      The article suggest that OS setting of the BIOS is rare. It is actually common (even before UEFI). Most people run firmware updates from the OS. Dell has for many years supplied a program that you can use to set all the BIOS settings on your Dell machine (they even have one that runs under Linux - the good thing is you have to have the BIOS password to use it or update the bios firmware). Unfortunately, UEFI allows the OS to set the boot order even if the BIOS password is set. So - yes (instead of a swit
      • The article suggest that OS setting of the BIOS is rare. It is actually common (even before UEFI).

        It shouldn't be common.

    • by bws111 ( 1216812 )

      Never gonna happen, except maybe in niche products. Consumers don't care, and corporations want their systems to be remotely/automatically updateable.

      • by srg33 ( 1095679 )

        Same old BS argument. Real security knows better. So, ship motherboards with the switch in the write-enabled position and "we" can switch it to write-disabled.

    • But that would increase their costs by three whole pennies! We can't have that. Meanwhile to flash a chromebook with a third party bootloader to run Linux you have to open the case, disconnect the battery, power it from the charger and issue the write disable command.

      • thing that bugs me is that more and more everything is automatic and user control is less and less. and when something happens that doesnt go the way the user wanted. i guess its like driverless cars. do u trust it.
    • by codebase7 ( 9682010 ) on Thursday November 10, 2022 @12:47PM (#63041281)
      Don't worry, Google already did. [googlesource.com] Says a lot about your company / industry when even the world's biggest advertising company gives the device owner control over their firmware as an expectation.
      • by jaa101 ( 627731 )

        The article you linked says "In newer devices, we've moved away from the WP signal being controlled by a physical screw and to a separate chip controlling the WP signal." Write protect is still supposed to be under user control but it's not a physical switch.

    • While they're at it, could they also put write-protect switches on thumb drives? I don't mean those software switches that give a "suggestion" to the OS. I mean, real write-protect switches, like we used to have on every 3.5" floppy!

      LOL... progress.

    • Firstly, no one would enable that on a laptop. Secondly, updates to the UEFI aren't rare, and laptops like Dell, Lenovo, etc will push them out via Windows Update. About every 3rd time Windows update runs on my machine I get a UEFI update warning "don't turn off your PC". Especially in the laptop world where a large number of accessories and power / control systems for the laptop are controlled via UEFI you do *not* want the user blindly disabling shit just to solve an incredibly low liklihood malware attac

  • I switched off "secure" boot on my Lenovo notebook, because it is not worth anything anyways. Better no sense of security, than a false one.

  • The firmware installer for my laptop is a Windows executable, so it cannot be updated without using an insecure OS.
  • I've excluded Lenovo from my computer purchasing since they took over IBM's PC business. Every company in China is a de facto extension of the Chinese Communist Party. The software used in Hisense TVs, Lenovo PCs, Hikvision cameras, and OnePlus Phones are all subject to government spying should the party deem it necessary. While the same risks exist in western nations, I prefer governments that protect human rights and do not encourage industrial espionage as national policy.
  • Do you mean ESET backdoored the NSA backdoor?
  • When "oops" like this happen the signatures of the naughty drivers are blacklisted. The naughty list is here: https://uefi.org/revocationlis... [uefi.org]

    The "Secure DBX update" Microsoft delivers is a signed repackage of this file distributed via Windows Update. I'm ignorant of how the installation process works though.

  • 1. As part of its slow motion collapse, IBM sold that product line in 2005.

    2. The buyer was a "multinational company" (founded in Beijing, China) called "Lenovo"

    3. The Chinese government insists that it is a communist country - probably hoping the world does not notice the blatantly obvious fact that the post-Mao leaders have transitioned to fascism instead. (Everybody is NOT sharing ownership of everything, working as hard as they can while consuming only as little as they need, etc - they are one politica

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...