Skip to main content

Lenovo is patching up a critical vulnerability in its PCs, other makers may be affected

Lenovo ThinkPad 13
Bill Roberson/Digital Trends
A security researcher has identified a serious flaw in Lenovo PCs that may also implicate other PC makers and chipmaker Intel.

Posting on GitHub, Dymtro “Cr4sh” Oleksiuk said he discovered a Unified Extensible Firmware Interface (UEFI) bug in Lenovo’s ThinkPad System Management Mode (SMM) that would allow an attacker to bypass Windows’ security protocols.

Related Videos

“Exploitation of the vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things,” claimed Oleksiuk.

This all stems from a common code from Intel allegedly provided by independent BIOS vendors (IBVs), which is where Lenovo appears to be placing the blame, but it added in its security advisory that the investigation is ongoing.

The company stated that it knows this vulnerable code was provided by “at least one” IBV. Lenovo works with three IBVs but it did not specify beyond that or give names.

“Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs,” read the advisory.

What’s important to note here is that IBVs work with a number of computer makers. While Oleksiuk said that he found this flaw in more than one Lenovo laptop he tested, it’s very much possible the flaw exists in other PC brands too.

“Lenovo is blaming it’s [sic] IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products,” Oleksiuk tweeted. Shortly afterwards another Twitter user responded with a claim that he had found the same vulnerability in a HP computer that shipped in 2010.

@d_olex Yep, found SmmRuntimeManagementCallback() function in HP dv7 4087cl (from ~2010, HM55) with Insyde EFI

— Alex James (@al3xtjames) July 2, 2016

In its statement, Lenovo took issue with Oleksiuk publishing his findings before having any contact with its own team. The statement said Lenovo made “several unsuccessful attempts” to reach out to and collaborate with the researcher before he went public.

For now, a fix is in the works. “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” it said.

As of this writing no other PC makers have commented on the reported vulnerability.

Editors' Recommendations

IdeaPad vs. Yoga vs. Slim vs. ThinkPad vs. ThinkBook vs. Legion: Lenovo brands, explained
Lenovo Yoga 9i 14 Gen 7 laptop sits on a small desk.

Lenovo has one of the widest ranges of laptops around, rivaling Dell and HP in everything from budget machines to exotic gaming laptops. Choosing from such a variety can be a challenge, with a great deal of overlap between lines that can blur the distinction between individual models.

To help make your decision easier, we've broken down Lenovo's lineup including everything from the budget and midrange IdeaPad to the business-oriented ThinkPad and the Legion gaming series. Chances are, you can find what you're looking for from one of these lines.

Read more
Lenovo teams up with AMD and Nvidia to release two new workstations
A designer sits by a desk as she works on a project with the Lenovo ThinkPad 15v next to her.

Lenovo has just unveiled two new ThinkPad workstations during SIGGRAPH 2022. The range includes the ThinkPad P15v and the ThinkPad P14s, both of which are laptops.

These new mobile workstations will come equipped with some of the latest hardware from AMD and Nvidia, including AMD Ryzen Pro CPUs and Nvidia's workstation RTX graphics.

Read more
Lenovo ThinkPad X13s vs. MacBook Air M1: An ARM wrestle showdown
The back lid of the ARM-powered ThinkPad.

When it comes to laptops powered by ARM-based SoC, many see Apple as the king. The MacBook Air M1 has amazing battery life, performance, and app-emulation when compared to Windows devices with Qualcomm Snapdragon compute platform SoC.

The MacBook Air stands well ahead of a Microsoft device like the Surface Pro X, which is powered by custom ARM-based Microsoft SQ1 and SQ2 silicon. Recently, though, a new challenger has come to try and take down Apple's spot at the top of the ARM-chip heap. It's the ThinkPad X13s, which is available from Lenovo for prices starting at $1,300.

Read more