PC maker Lenovo has addressed yet another set of three shortcomings in the Unified Extensible Firmware Interface (UEFI) firmware affecting several Yoga, IdeaPad, and ThinkBook devices.
“The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS,” Slovak cybersecurity firm ESET explained in a series of tweets.
UEFI refers to software that acts as an interface between the operating system and the firmware embedded in the device’s hardware. Because UEFI is responsible for launching the operating system when a device is powered on, it has made the technology an attractive option for threat actors looking to drop malware that’s difficult to detect and remove.
Viewed in that light, the flaws, tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, could be abused by an adversary to turn off Secure Boot, a security mechanism that’s designed to prevent malicious programs from loading during the boot process.
Lenovo’s advisory describes the vulnerabilities as follows –
images from Hacker News