A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems has now been found to exist in products from other vendors, including certain HP and Gigabyte. According to Lenovo, the vulnerability found by researcher Dmytro Oleksiuk in various ThinkPad models, was not in its own Unified Extensible Firmware Interface (UEFI) code, but in an implementation provided to Lenovo by an un-named independent UEFI vendor. Since other manufacturers use the same third-party UEFI code, the same vulnerability applies to some of their machine models as well.
Already, an exploit for the vulnerability found in the Lenovo ThinkPads, dubbed ThinkPwn, has been published and can be used to execute rogue code in a CPU’s privileged System Management Mode (SMM). The exploit can disable Windows Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent boot-level rootkits. Other Windows security features, like Virtual Secure Mode and Credential Guard, which depend on the UEFI to be secure, could also be circumvented.
ThinkPwn, was published by researcher Dmytro Oleksiuk and was not reported at all to Lenovo. Bad researcher! No kudos! And I’m not kidding. Even though Mr. Oleksiuk downplays the threat of this exploit being used… :
“It’s very unlikely that this vulnerability will be exploited in the wild, for regular customers there are much more chances to be killed with the lightning strike than meet any System Management Mode exploit or malware.”
…he still demonstrated that his ego is more important than the safety and security of others:
“I decided to do the full disclosure because the main goal of my UEFI series articles is to share the knowledge, not to make vendors and their users happy.”
So, vendors that use the vulnerable UEFI code had no warning that would give them time to develop a fix, and the public is exposed to a zero-day exploit. Shame, Mr. Oleksiuk, shame! Your technical prowess is overshadowed by your lack of social conscience.
End users should look to see if there is an updated version of the firmware for affected machines. Lots of grisly detail about the UEFI vulnerabilities and the exploit, including some vulnerable ThinkPad models, can be found here. Info on vulnerable Gigabyte motherboards can be found here.