Lenovo Thinkpad wikimedia

As revealed by researcher Dmytro Oleksiuk, a new zero-day exploit can disable the write protection on the device’s flash memory, allowing the attacker to run scripts in System Management Mode.

Using this privileged mode usually reserved for the CPU, the hacker then can run scripts to disable SecureBoot, a protocol that verifies the OS bootloader to stop rootkits. From there, Windows security measures such as Credential Guard can be disabled, a feature used to keep enterprise domain credentials secure, among other data.

Lenovo has stated that the exploit is found not in its own code, but some provided by an Independent BIOS Vendor (IBV). According to Oleksiuk, this means “it’s 100% that there’s others OEM’s [Original Equipment Manufacturer’s] that have this vuln in their products,” and could have consequences across the industry. The vulnerability appears to be present in Intel reference code for its 8-series chipsets, but was fixed in 2014.

The Effects Moving Forward

Stating that several unsuccessful attempts were made to co-operate with the researcher before the exploit was posted to social media, Lenovo announced they have “actively undertaken [their] own investigation, which remains ongoing,” and will release a fix as soon as possible. They echo Oleksiuk’s statement by confirming that they work with the industries three largest IBV’s and that the scope of impact is industry wide.

The vulnerability currently requires physical access to the device, but the researcher warns on GitHub that it could be refined further to bypass this drawback through malware. He also confirms that one of his Twitter followers has had success running the code on a HP Pavilion laptop.

The full implications of the vulnerability and the number of devices it effects is still unclear. For now, users are recommended to wait for a fix and not do anything drastic, as similar techniques have been persistent even after the hard drive has been wiped.

You can keep up to date with the fix by checking Lenovo’s Security Advisories page.