Security firm ESET has found several UEFI vulnerabilities in a wide swathe of over 100 different Lenovo consumer laptop models, which can be patched by updating the notebook's firmware.
The full list of affected laptops includes the Ideapad-3, the Legion 5 Pro-16ACH6 H, and the Yoga Slim 9-14ITL0. ESET discovered the vulnerability late last year. Lenovo then worked to develop a patch and released it on the manufacturer's website. ESET didn't say whether these vulnerabilities were actively being exploited in the wild.
Specifically, the three different vulnerabilities would allow an attacker to modify either the protected boot settings or the firmware itself, a change that would survive the reinstallation of the operating system, ESET said. UEFI threats can be extremely stealthy and dangerous, the firm wrote.
They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.
A third vulnerability in the SMI Handler code would allow an attacker with local access and elevated privileges to execute arbitrary code, giving them control of the machine.
To solve the problem, Lenovo recommends that users navigate to the support site (support.lenovo.com), which resolves to pcsupport.lenovo.com. The laptop manufacturer has addressed the vulnerability with a specific Web page devoted to it, where you can find this as well as supplementary information.