[…]The other fun thing about it is that none of the firmware flashing protection is enabled, including Intel Boot Guard. This means running a custom firmware image is possible, and what would a ridiculous custom Thinkpad be without ridiculous custom firmware? A shadow of its potential, that’s what. So, I read the Coreboot motherboard porting guide and set to.[…]
Lenovo should be giving Matthew a free X210 for this effort:
“This bug deserves more attention than it is currently receiving. It should be pinned in every forum with an affected machine, so that owners of those machines will be aware that it exists. It is currently squirreled away in the T series forum, under the outdated title “T480s – ACPI bug”. I have asked that the title be updated and received no response, which is why I’m posting this here.[…]
There’s a bug in the ACPI tables that affects all of the machines listed in the title. The bug causes heavy CPU usage on one thread due to frequent ACPI interrupts. The symptoms are a slow system, and high CPU temperatures (idles around 65 degrees Celsius). Some operating systems may mitigate the symptoms, but the bug is present regardless.
The following circumstances trigger it:
-powering on the laptop
-waking from suspend (and possibly hibernate – untested)
The following actions prevent it:
-reboot the laptop (temporary fix)
-disable thunderbolt in the UEFI settings (permanent fix – with latest UEFI updates)
The official UEFI update changelogs for all of these machines make explicit mention of this issue: “-(Fix) Fix an issue where system may become hot by system interrupts when Thundrebolt is disabled in ThinkPad Setup – Security – I/O Port Access.”[…]
Lenovo working throug an external pentest firm? Wish I saw more OEMs asking for appropriate job skills.
If you’re thinking about applying, look at some of the reviews for this consulting firm before doing so. Maybe look if Lenovo has a direct position open as well.
Diverse Lynx: Penetration tester
[…]It is also firmware analysis which according to Lenovo is analyzing anything that may be on disk. […] Chipsec needs to be used for this assessment. It’s for UEFI attacks, but it’s fairly automated.[…]
System x Secure Boot Vulnerability
Lenovo Security Advisory: LEN-20241
Potential Impact: Booting unauthenticated code
Scope of Impact: Lenovo-only
CVE Identifier: CVE-2017-3775
Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code. Lenovo ships these systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment, and standard operator configurations disable signature checking. Apply the BIOS/UEFI update appropriate for your model described in the product impact section below. If you are relying on Secure Boot, you may want to control physical access to systems prior to applying the updates.[…]
Lenovo has a blog post on supply chain security:
[…]Have you ever considered whether the PC’s delivered to your business contain the same components installed by the manufacturer?[…]
Lenovo: please publish hashes for your online firmware images!
Intel Active Management Technology MEBx Access Control Bypass
Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568
Potential Impact: Remote access and control
Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]
ThinkPad – Updates coming soon
“Canonical has pulled downloads for its Ubuntu 17.10 Linux distribution following reports that it can trigger a bug in the UEFI firmware of selected Lenovo, Acer, and Toshiba laptops, corrupting the BIOS and disabling the ability to boot from USB Drives.”
OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.
(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)
“So for future reference: Do not set a special symbol as password in your bios. Although it acts like it is correct. It will brick your laptop and this will cost you a new motherboard if you dont find out what the symbol is replaced by.”
OEM/IBV — not just Lenovo — better input validation. Try checking for emojiis too. 😦 Int’l characters are likely to also have issues. A bit more error checking will help users from having to buy new mobos to replace their bricks, big impact!
I recently helped an IPMI vendor with a problem where they would not accept punctuation in passwords, because this misread a security FAQ by David Wheeler, and were afraid punctuation would put them at risk of shell injection attacks.
Lenovo’s Data Center Group (DCG) is seeking a qualified intern to join the Software Security Review Board (SSRB) team as a Junior Product Security Test Engineer (Ethnical Hacker). The SSRB is dedicated to enhancing the security of Lenovo DCG products for our customers. Projects will include configuring security test targets such as servers, storage, and networking environments; performing product security assessments; creating assessment reports; and working with global product teams to review assessment results.
– Setup, configure, and use security tools such as AppAudit, Arachni, Burp Suite Pro, CHIPSEC, nmap, Nessus, Protecode SC, and Metasploit to perform SSRB security assessments
Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.
BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753
Lenovo Security Advisory: LEN-14695
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017
Potential Impact: Execution of code in SMM by an attacker with local administrative access
A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.
Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:
* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)
AFAICT nothing on the AMI site on this.
Today Intel announced a NEW AMT security advisory:
Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017
Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 220.127.116.11, 18.104.22.1682, 10.0.0.50.1004 and 22.214.171.1245 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 126.96.36.199, 188.8.131.522, 10.0.0.50.1004 and 184.108.40.2065. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]
automattically update server and adapter firmware using efi shell
This Updatepack automates and simplifies the update process of Intel Servers and Adapters. […] Supported Devices:
Intel S2600WT Server Board Family
Intel RMS3JC080 RAID Controller
Intel RMS3CC080 RAID Controller
Intel RES3TV360 SAS Expander
QLogic BR1860-2 Converged Network Adapter
Lenovo N2225 SAS Host Bus Adapter
Careful, this Github project includes some binary-only *.EFI files, no source code included.
IBM Storwize for Lenovo initialization USB drives contain malware
Lenovo Security Advisory: LEN-14957
Potential Impact: Malware infection on system used to launch initialization tool
Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems. When the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:
On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool
Important: While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system. The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.
The affected Initialization USB flash drive looks like the images below, and contains a folder called InitTool.[…]
Lenovo Security Advisory: LEN-4710
Potential Impact: Execution of code in SMM by an attacker with administrative access
Scope of impact: Industry-wide
Summary Description: System Management Mode (SMM) is the most privileged execution mode of the x86 processor. Software System Management Interrupt (SWSMI) handlers are used by software to call on BIOS functions that reside within the SMM. A vulnerability has been identified in one of the SWSMI handlers in the BIOS code from American Megatrends Inc. (AMI) used on some Lenovo systems. This could allow a malicious attacker with administrative access to execute code in the SMM and bypass some BIOS security mechanisms and install software with bootkit functionality. Mitigation Strategy for Customers (what you should do to protect yourself): Update your BIOS level to the latest version by following the instructions in the readme file. This issue only affects Lenovo products with BIOS firmware from AMI. Brands not listed, such as ThinkPad, do not use AMI firmware and are not affected by this vulnerability. Lenovo thanks Bruno Pujos of Sogeti ESEC R&D for reporting this issue.[…]
CVE Identifier: CVE-2016-8226
Access Vector: Network exploitable
Access Complexity: Low
Original release date: 01/26/2017
The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.
Lenovo Security Advisory: LEN-11306
Denial of service attack on Lenovo System X M5, M6, and X6 systems
A vulnerability was identified in the BIOS of Lenovo System X M5, M6, and X6 systems. An attacker with administrative access to a system can cause a denial of service attack on the system by updating a UEFI data structure. After this occurs, the system will not complete POST (Power-On Self-Test) , hang at the Lenovo splash screen, and fail to boot. This issue was inadvertently encountered in an update to Microsoft Windows Server 2012, Windows Server 2012R2 and Windows Server 2016 (see https://support.lenovo.com/us/en/solutions/ht502912 for details). However, systems running any operating system are vulnerable. Lenovo strongly recommends installing this update. Mitigation Strategy for Customers (what you should do to protect yourself):[…]