A security researcher, Dymtro Oleksiuk pointed out a major security flaw on Lenovo ThinkPad series and possibly laptops from other merchants as well. He claimed that the laptops have a malfunctioning firmware driver that was apparently copied directly from Intel. The flawed firmware allows random System Management Mode (SMM) code execution. The result is that it undercuts Windows security protocols like Credential Guard, Virtual Secure Mode and Secure Boot. The researcher did not share the information with Lenovo Prior to publishing it thus making it a zero-day exploit.
Which gadgets are affected?
Oleksiuk pointed out that the flaw is present in the entire ThinkPad series laptops. However, the ones he claims to have checked include the T450s which has the recent firmware versions and the X220 which is an old model. He also suggests that other devices powered by Windows could have the same susceptible code from Intel and therefore be affected as well. The 2010 version of the HP Pavilion has also been confirmed to be having the security flaw.
Lenovo’s reaction to the claims
Lenovo confirmed the existence of the firmware flaw but were quick to point out that it was not on their Unified Extensible Firmware Interface (UEFI) code, but rather in the application provided to the company by a minimum of one Independent BIOS Vendors (IBVs). The company says they are in discussion with all its IBVs alongside Intel to ascertain or rule-out any more cases of the flaw presence in the BIOS provided to them by other IBVs, and establish the original purpose of the vulnerable code as well.
The firmware exploit labelled ‘ThinkPwn’, is implemented as an UEFI application that has to be performed from a USB flash drive using the UEFI shell. Access to the targeted computer therefore has to be physical and this limits the attackers that could use it. However, Oleksiuk said that with extra effort it could be possible to cash in on the weakness from inside the operating system which means that it could be attacked through malware.