Experts urge Lenovo owners to update fimware as soon as possible.
Cybersecurity experts from ESET have found three security flaws in hundreds of different Lenovo laptop models which could put millions of users at risk. ESET said exploiting these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter. In total, three vulnerabilities have been discovered, which are now tracked as CVE-2021-3970, CVE-2021-3971 (also known as SecureBackDoor and SecureBackDoorPreim), and CVE-3972 (SMM memory corruption inside the SW SMI handler function). The first two can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime.
