back to article Lenovo scrambling to get a fix for BIOS vuln

Lenovo, and possibly other PC vendors, is exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential …

  1. Anonymous Coward
    Anonymous Coward

    it's a backdoor, not a bug

    The code shown in the github writeup looks like a deliberate backdoor to me. I mean, the user passes you a pointer to a function, and you call it - no trickery of any kind is involved, no logic subtleties, no unintended interactions between calls. This is not something you write by mistake.

    1. Anonymous Coward
      Anonymous Coward

      Re: it's a backdoor, not a bug

      Need Some Access?

      Forge Boot Interaction?

      Create Insider Account?

      The US TLA - access to all your information - comply or be punished citizen.

    2. Little Mouse

      Re: it's a backdoor, not a bug

      Someone else has installed a backdoor on Lenovo PC's?

      I think that's called Getting A Taste Of Your Own Medicine.

      1. jtaylor

        Re: it's a backdoor, not a bug

        Little Mouse wrote: "Someone else has installed a backdoor on Lenovo PC's? I think that's called Getting A Taste Of Your Own Medicine."

        I have a poor memory. Remind me why I deserve a backdoor on this ThinkPad.

        1. Sitaram Chamarty

          Re: it's a backdoor, not a bug

          I think he meant "as opposed to Lenovo installing it themselves". Probably referring to the so-called "free" apps that come with a laptop which caused some consternation recently (if something affects only Windows, I tend to not remember details).

        2. Tony Paulazzo

          Re: it's a backdoor, not a bug

          Lenovo installed freeware on their machine that sent telemetry back to the mothership. If the user deleted the free software it would be reinstalled by the BIOS at every bootup. They were called out on it, released a BIOS upgrade to remove it then were found to be doing something similar again a few months later.

          Google Superfish Lenovo.

          1. Bronek Kozicki

            Re: it's a backdoor, not a bug

            I do not think this can be compared to Superfish, for a start this vulnerability comes from shared upstream (Intel own code) and is apparently present on HP laptops as well.

    3. Anonymous Coward
      Anonymous Coward

      Re: it's a backdoor, not a bug

      Could well just be "a bug", Insyde make some really shite UEFI implementations.

      Things that should be implemented, aren't.

      Things that should work, don't.

      But, for most users, you won't notice these kind of things because Windows boots.

      1. Bronek Kozicki

        Re: it's a backdoor, not a bug

        Does anyone know what level of access is required before the vulnerable function can be invoked? At this moment this seems more like sloppy code enabling "evil maid attack" that is, it appears to require hardware (or perhaps administrator level, from within the OS?) access before the attack. Or am I mistaken?

        Oh and why do I think "sloppy code" - the function purpose in kernel sources is clear enough, the only missing part is validation of callback function address.

  2. oneeye

    Not Again!!!

    Yikes, I mean, who in their right mind wants to keep buying Lenovo with a track record like they have going. I know of several "oops backdoors in the mobile phone products" have been discovered over the last couple years. And they are not alone. Several of they other big named Chinese vendors have had similar issue's. Anyone besides me seeing a pattern? And I've not even touched on the Software companies, Baidu being the most recent.

    1. Nattrash
      Alert

      Re: Not Again!!!

      It is a somewhat oversimplified view, bashing Levono products exclusively. I mean if this indeed came from upstream, I'm sure levono isn't the only one. Which makes me extremely curious where this come from and why...

      1. Dan 55 Silver badge
        Facepalm

        Re: Not Again!!!

        It comes from the Independent BIOS Vendors which are contracted to write the BIOS software by OEMs. The IBVs just copy and paste Intel's reference code without reviewing it, it seems... And the OEMs release the IBVs' code without review either.

        As it's in Intel's reference code it might even have found its way into Macs.

    2. Solmyr ibn Wali Barad

      Re: Not Again!!!

      This issue has far wider spread - an embuggerance in the Intel reference code that is present in most UEFI implementations. I'd be mightily surprised if any of the PC vendors were able to spot it beforehand.

      Even more worrying - if this one gets patched, are there other surprises lurking in Intel management functions like AMT? Some people have been distrusting UEFI & AMT for years. Probably for a good reason.

    3. Baudwalk

      Re: Not Again!!! - Because ...

      ... which other vendor makes anything as nice as Lenovo's ThinkPad Yoga line?

      Serious question.

      Looking around for a new machine for the Supreme Commanderess, the TP-Yoga seemed by far the most reassuring going by quality, finish, features and simple sturdiness in the sub €1000 segment.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Not Again!!! - Because ...

        Don't just bash Lenovo, bash everything. There's no hardware you can trust.

        1. MacroRodent
          FAIL

          Re: Not Again!!! - Because ...

          "There's no hardware you can trust."

          Actually, there could be: a mechanical switch or jumper that would be connected directly to the write-enable pin of the firmware memory. Low-tech, and would keep the control in the hands of the owner of the machine, instead of Microsoft, which is of course we have the overly complicated UEFI "secure boot" instead. (And when you hand a complex spec to a vendor, it is guaranteed to screw up the implementation).

        2. Hans 1

          Re: Not Again!!! - Because ...

          >There's no hardware you can trust.

          Yes, there is, ever heard of coreboot or libreboot ?

          http://www.fsf.org/resources/hw/systems

          Here you can find systems that work well with GNU/Linux - If you want to trust your hardware, you might as well trust your software:

          https://h-node.org/

          MS software cannot be trusted, proprietary Bios' cannot be trusted (with BIOS I mean both Basic Input Output System and its successor, UEFI), binary blobs CANNOT BE TRUSTED, no tin foil hat or flying choppers around here, they CANNOT BE TRUSTED, as simple as that, no ifs, buts or maybes.

          Sadly, a number of vital pieces of hardware, such as high-end graphics cards or some WIFI adapters require binary blobs in their drivers, this is sad, so, as much as I would like to be 100% LibreHardware, for the moment I have use-cases which are not quite fulfilled by LibreHardware ... I try to get as close as possible, though ... and avoid a lot of this stuff ...

      3. Thatguyfromthatforum

        Re: Not Again!!! - Because ...

        As a side note the quality isn't as high as you'd think. I bought the yoga pro 2 (with the rubber type keyboard) which has fracked along the hinges in less than a year. My friend has the pro 3 with the harder plastic and already one of the 2 USB ports has died. The zen book is quite nice, just a heads up.

        1. Baudwalk

          Re: Not Again!!! - Because ...

          >>>As a side note the quality isn't as high as you'd think. I bought the yoga pro 2 <<<

          That's why I went for the ThinkPad Yoga.

          Bulkier, true, but (appearance of) vastly higher quality than the IdeaPad Yoga Pro.

  3. This post has been deleted by its author

  4. redpawn

    Wouldn't want a physical switch under the hood.

  5. Anonymous South African Coward Bronze badge

    The fun...

    ...never stops.

    1. Version 1.0 Silver badge

      Re: The fun...

      Actually, two bugs in two years isn't bad - OK, so we've only found two bugs .... there are always more because that's the way code gets written. You always plan to check it later but the pressure from the PHB to get it out of the door rarely allows time to do it.

      1. Anonymous Coward
        Anonymous Coward

        @Version 1.0 - Re: The fun...

        Not to mention about the increasing decrease in coders skill. Yeah they can code brilliantly but they goof at about the same scale.

  6. gv

    "Secure (?!) Boot"

    UEFI is a dog's breakfast.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Secure (?!) Boot"

      I for myself welcome any malware than can disable this pest.

  7. Wolfclaw

    3 little letters of your own choosing from good old uncle sams spooks leaning on poor old Intel !

  8. Ramazan
    Facepalm

    lamedoor at best

    Read the https://github.com/Cr4sh/ThinkPwn first:

    "It means that original vulnerability was fixed by Intel in the middle of 2014. Unfortunately, there was no any public adviosries, so, it's still not clear that Intel or Lenovo actualy knew about it. There's a high possibility that old Intel code with this vulnerability currently present in firmware of other OEM/IBV vendors."

  9. Crazy Operations Guy

    Back to the old laptop for me...

    I have an old ThinkPad T400 that I installed coreboot and OpenBSD into it. Seems to be the only way of remaining safe from security holes like these...

    I hate how much crap is being crammed into chips like these nowadays, I worked on a machine the other day that had a web browser built into UEFI. A BIOS isn't supposed to do much other than:

    1) Read some registers from peripherals to build a table the OS can understand

    2) Write some values to peripherals to change behavior (RTC config, base memory locations, etc)

    3) Copy boot code from the boot device to the memory and set the CPU to kick off from there (and set a register so the boot code knows where it came from and the base address to get the next piece).

    I wouldn't mind BIOS / UEFI being so large if it had a Unix-like environment that provided fdisk, fsck, a TCP/IP stack, wget, dmesg, and the ability to modify BIOS settings (Such as boot order, port configurations, change timing parameters, etc.), and maybe a utility that would allow enabling/disabling all PCI/PCIe and USB devices in the system.

    The OpenBSD ramdisk / install image can do almost all of that with just 7.5 MB; I've seen UEFI chips 128-256 MB in size, more than enough to support such an environment.

    1. Solmyr ibn Wali Barad

      Re: Back to the old laptop for me...

      On x86 servers UEFI does most of those things you wished - it has filesystem support, TCP/IP support, ability to change any HW settings remotely, apply HW settings from a config template. Useful when rolling out a large batch of servers. So it's more like a small operating system - whether that's a good or a bad thing I cannot tell. UEFI shell isn't UNIX-like, though.

      1. Hans 1
        Boffin

        Re: Back to the old laptop for me...

        >>I have an old ThinkPad T400 that I installed coreboot and OpenBSD into it. Seems to be the only way of remaining safe from security holes like these...

        >On x86 servers UEFI does most of those things you wished - it has filesystem support, TCP/IP support, ability to change any HW settings remotely, apply HW settings from a config template. Useful when rolling out a large batch of servers. So it's more like a small operating system - whether that's a good or a bad thing I cannot tell. UEFI shell isn't UNIX-like, though.

        How could you miss that first paragraph, maybe you did not understand, let me re-phrase that for you:

        Crazy Operations Guy has an open source firmware (UEFI-replacement) and OS. He then goes on about how his open source firmware has got open source tools to get stuff done, so, he clearly states that he likes that.

        What he dislikes is bloated buggy proprietary crap that can only do half of what his firmware can do, needs 17 to 34 times as much space and [my addition:] then only with specialized (:= expensive) software.

        In UNIX, you combine tools to get stuff done, each tool is very specialized in a specific task, which decouples the combined features of the whole system.

        1. Solmyr ibn Wali Barad

          Re: Back to the old laptop for me...

          Well, he had a line there

          "I wouldn't mind BIOS / UEFI being so large if it had a Unix-like environment that provided /.../ "

          to which I replied that this is indeed the case with server UEFI implementations - they have a complex environment built in, but not quite Unix-like.

          If anyone fancies to do an open source re-implementation, that'd be possible, there is lots of space to do it.

      2. Crazy Operations Guy

        Re: Back to the old laptop for me...

        "UEFI shell isn't UNIX-like, though."

        Figured that the UEFI shell could do something like what I want, but the command syntax seems to have been written by someone who has never seen a computer before, so couldn't really see what it can do. I wish that they'd just allow you to install whatever you want onto the chip (especially since there are plenty of BSD-licensed OSes out there that can be installed in there without needing any sort of license agreement).

        Another thought I had is that multi-GB SD cards are so very cheap nowadays, so it'd be nice if they could stick a 4 GB module onto the board and pre-load it with the drivers the board shipped with. Make it accessible as read-only when the OS starts but have an option in BIOS / UEFI to update it (Since UEFI environments do have TCP/IP stacks, why don't they have the ability to update themselves?).

        I've been thinking a lot about this lately since I'm setting up a test lab for work and carrying around install media or trying to get network boot to work, is proving a pain in the ass. The second part mostly comes from trying to install Windows 7 on machines that are new enough that Windows doesn't even have drivers for the NIC, let alone the video card or half the other devices in the box (Which means that getting the drivers is a colossal pain since I have to try and find the drivers based on their PCI IDs rather than just letting Windows Update figure it out. I would get them from the manufactures website, but these are unbadged white-box machines where the Motherboard doesn't announce who made it or which of the many number/letter sequences is a model number)

  10. Anonymous Coward
    Anonymous Coward

    Just great

    How is the NSA going to stop terrorists once this is patched?

  11. Herby

    All your base belong to us.

    Yup! That's it.

    As for BIOS's installed on machines, I feel that this should be the most open source item of the machine. Then you can "trust" it. The reality is that the BIOS really does WAY TOO much for any given machine. It should just start the first read of secondary storage, and go from there. It really shouldn't need to do much more.

    Unfortunately, there are some operating systems that seem to rely upon the BIOS for much more than that. Oh, well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like