Skip to main content

Lenovo is patching up a critical vulnerability in its PCs, other makers may be affected

Lenovo ThinkPad 13
Bill Roberson/Digital Trends
A security researcher has identified a serious flaw in Lenovo PCs that may also implicate other PC makers and chipmaker Intel.

Posting on GitHub, Dymtro “Cr4sh” Oleksiuk said he discovered a Unified Extensible Firmware Interface (UEFI) bug in Lenovo’s ThinkPad System Management Mode (SMM) that would allow an attacker to bypass Windows’ security protocols.

“Exploitation of the vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things,” claimed Oleksiuk.

This all stems from a common code from Intel allegedly provided by independent BIOS vendors (IBVs), which is where Lenovo appears to be placing the blame, but it added in its security advisory that the investigation is ongoing.

The company stated that it knows this vulnerable code was provided by “at least one” IBV. Lenovo works with three IBVs but it did not specify beyond that or give names.

“Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs,” read the advisory.

What’s important to note here is that IBVs work with a number of computer makers. While Oleksiuk said that he found this flaw in more than one Lenovo laptop he tested, it’s very much possible the flaw exists in other PC brands too.

“Lenovo is blaming it’s [sic] IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products,” Oleksiuk tweeted. Shortly afterwards another Twitter user responded with a claim that he had found the same vulnerability in a HP computer that shipped in 2010.

@d_olex Yep, found SmmRuntimeManagementCallback() function in HP dv7 4087cl (from ~2010, HM55) with Insyde EFI pic.twitter.com/M5jrsrAO8d

— Alex James (@al3xtjames) July 2, 2016

In its statement, Lenovo took issue with Oleksiuk publishing his findings before having any contact with its own team. The statement said Lenovo made “several unsuccessful attempts” to reach out to and collaborate with the researcher before he went public.

For now, a fix is in the works. “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” it said.

As of this writing no other PC makers have commented on the reported vulnerability.

Editors' Recommendations

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Alexa Show Mode transforms your Lenovo laptop into a hands-free Echo Show
Alexa Show Mode - Lenovo Laptop

Lenovo and Amazon are looking to transform the way you use Alexa on Windows 10 laptops.

Now rolling out to newer ThinkPad, IdeaPad, and Yoga Lenovo laptops is Alexa Show Mode -- an experience that can turn your PC into an Echo Show-like display.

Read more
Lenovo’s sweeping ThinkPad refresh finally includes laptops with 1080p webcams
lenovo thinkpad x13 t14s 1080p webcam 2021 02

Lenovo has announced a sweeping update to its ThinkPad X and T-series line of laptops, which include select models with 1080p webcams.

These higher-resolution webcams are a first for ThinkPads, but also count them among the very few FHD options currently available. The refreshed models include the second generation of ThinkPad X13, X13 Yoga, T14S, T14, and T15. Among those, however, only the X13 and T14S feature the new camera upgrade as an option. Even so, jumping up to 1080p is only available in upgrade configurations, not in the base models.

Read more
Lenovo ThinkPad T480s vs. Lenovo ThinkPad X1 Carbon
Which ThinkPad is better: The X1 Carbon or the T480s?
lenovo thinkpad t480s model logo

Lenovo's ThinkPad is one of the most iconic lines in notebook history, going back decades and representing one of the most recognizable business brands around. They're conservatively designed and well-built, and they offer a few specific design cues that appeal to a specific niche of users. And two models from the range stand out for around $1,000: The ThinkPad T480s and ThinkPad X1 Carbon.

We've pitted the two against each other in multiple categories, taking into account the improvements Lenovo made with the ThinkPad X1 Carbon over last-gen's model. The T480s received a refresh in 2019, too, in the form of the T490. Lenovo has changed its naming scheme since, replacing this range with the more appropriately named T14 and T15.
Design

Read more