Lenovo LEN-24374: Multiple SMM vulnerabilities, CVE-2018-(9083-9084,16089-16092,16094-16096)

System Management Module Vulnerabilities

Lenovo Security Advisory: LEN-24374
Potential Impact: Privilege escalation
Severity: High
Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2018-9083, CVE-2018-9084, CVE-2018-16089, CVE-2018-16090, CVE-2018-16091, CVE-2018-16092, CVE-2018-16094, CVE-2018-16095, CVE-2018-16096

Summary Description:

A Lenovo security audit of the System Management Module firmware uncovered the following vulnerabilities. SMM networking is disabled by default, and these cannot be exploited until networking is enabled:

CVE-2018-16089: A field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.

CVE-2018-16090: The SMM certificate creation and parsing logic is vulnerable to post-authentication command injection.

CVE-2018-16091: The SMM certificate creation and parsing logic is vulnerable to several buffer overflows.

CVE-2018-9083: The SMM contains weak default root credentials which could be used to log in to the device OS — if the attacker manages to enable SSH or Telnet connections via some other vulnerability.

CVE-2018-9084: If an attacker manages to log in to the device OS, the validation of software updates can be circumvented.

CVE-2018-16092: The FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file.

CVE-2018-16094: An internal SMM function that retrieves configuration settings is prone to a buffer overflow.

CVE-2018-16095: The SMM records hashed passwords to a debug log when user authentication fails.

CVE-2018-16096: The SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.

https://support.lenovo.com/pt/fi/solutions/len-24374

see-also:
https://exchange.xforce.ibmcloud.com/vulnerabilities/153003

Lenovo ThinkPad X1 6en: Enabling S3 Sleep for Linux after Firmware Update

https://brauner.github.io/2018/09/08/thinkpad-6en-s3.html

Installing Coreboot on Lenovo X210

[…]The other fun thing about it is that none of the firmware flashing protection is enabled, including Intel Boot Guard. This means running a custom firmware image is possible, and what would a ridiculous custom Thinkpad be without ridiculous custom firmware? A shadow of its potential, that’s what. So, I read the Coreboot[1] motherboard porting guide and set to.[…]

https://mjg59.dreamwidth.org/50924.html

Lenovo should be giving Matthew a free X210 for this effort:

Lenovo ACPI bug – affects X1C6, X1Y3, X280, T480s, T480, T580, P52s, possibly more. ‎

“This bug deserves more attention than it is currently receiving. It should be pinned in every forum with an affected machine, so that owners of those machines will be aware that it exists. It is currently squirreled away in the T series forum, under the outdated title “T480s – ACPI bug”. I have asked that the title be updated and received no response, which is why I’m posting this here.[…]

There’s a bug in the ACPI tables that affects all of the machines listed in the title. The bug causes heavy CPU usage on one thread due to frequent ACPI interrupts. The symptoms are a slow system, and high CPU temperatures (idles around 65 degrees Celsius). Some operating systems may mitigate the symptoms, but the bug is present regardless.

The following circumstances trigger it:
-powering on the laptop
-waking from suspend (and possibly hibernate – untested)

The following actions prevent it:
-reboot the laptop (temporary fix)
-disable thunderbolt in the UEFI settings (permanent fix – with latest UEFI updates)

The official UEFI update changelogs for all of these machines make explicit mention of this issue: “-(Fix) Fix an issue where system may become hot by system interrupts when Thundrebolt is disabled in ThinkPad Setup – Security – I/O Port Access.”[…]

https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/ACPI-bug-affects-X1C6-X1Y3-X280-T480s-T480-T580-P52s-possibly/td-p/4084521

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T480s-ACPI-bug/m-p/4064963#M124889

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T480s-ACPI-bug/m-p/4067181#M124936

https://download.lenovo.com/pccbbs/mobiles/n22ur05w.txt

 

Diverse Lynx: seeks PenTester to use CHIPSEC [against Lenovo?]

Lenovo working throug an external pentest firm? Wish I saw more OEMs asking for appropriate job skills.

If you’re thinking about applying, look at some of the reviews for this consulting firm before doing so. Maybe look if Lenovo has a direct position open as well.

Diverse Lynx: Penetration tester
[…]It is also firmware analysis which according to Lenovo is analyzing anything that may be on disk. […] Chipsec needs to be used for this assessment. It’s for UEFI attacks, but it’s fairly automated.[…]

https://www2.jobdiva.com/candidates/myjobs/openjob_outside.jsp?id=10760288

https://www.diverselynx.com/

 

Lenovo LEN-20241: System x Secure Boot Vulnerability

System x Secure Boot Vulnerability
Lenovo Security Advisory: LEN-20241
Potential Impact: Booting unauthenticated code
Severity: High
Scope of Impact: Lenovo-only
CVE Identifier: CVE-2017-3775

Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code. Lenovo ships these systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment, and standard operator configurations disable signature checking. Apply the BIOS/UEFI update appropriate for your model described in the product impact section below. If you are relying on Secure Boot, you may want to control physical access to systems prior to applying the updates.[…]

https://support.lenovo.com/us/en/solutions/len-20241
https://threatpost.com/lenovo-patches-arbitrary-code-execution-flaw/131725/

Lenovo: Intel AMT MEBx Access Control Bypass

Intel Active Management Technology MEBx Access Control Bypass
2018-02-08
Initial Release

Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568

Potential Impact: Remote access and control
Severity: Critical

Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]

ThinkPad – Updates coming soon
ThinkServer- Researching

https://support.lenovo.com/us/en/solutions/LEN-19568

https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt

https://www.intel.com/content/www/us/en/support/articles/000020917/software/manageability-products.html

https://www.intel.com/content/dam/support/us/en/documents/technologies/Intel_AMT_Security_Best_Practices_QA.pdf

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

 

 

Ubuntu 17.10 corrupting BIOS – many Lenovo laptops models (and Acer and Toshiba)

“Canonical has pulled downloads for its Ubuntu 17.10 Linux distribution following reports that it can trigger a bug in the UEFI firmware of selected Lenovo, Acer, and Toshiba laptops, corrupting the BIOS and disabling the ability to boot from USB Drives.”

https://www.bit-tech.net/news/tech/software/canonical-pulls-ubuntu-1710-over-uefi-corruption-issue/1/

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734147

OEMs: support Linux firmware updates via fwupd

OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.

(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)

https://fwupd.org/vendors

Be careful with special characters and BIOS passwords

“So for future reference: Do not set a special symbol as password in your bios. Although it acts like it is correct. It will brick your laptop and this will cost you a new motherboard if you dont find out what the symbol is replaced by.”

https://forums.lenovo.com/t5/ThinkPad-L-R-and-SL-series/Important-TIP-Concerning-bug-with-passwords-set-in-bios/m-p/268696

OEM/IBV — not just Lenovo — better input validation. Try checking for emojiis too. 😦 Int’l characters are likely to also have issues. A bit more error checking will help users from having to buy new mobos to replace their bricks, big impact!

I recently helped an IPMI vendor with a problem where they would not accept punctuation in passwords, because this misread a security FAQ by David Wheeler, and were afraid punctuation would put them at risk of shell injection attacks.

https://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/validation-basics.html

 

Lenovo seeks CHIPSEC-savvy security intern

Lenovo’s Data Center Group (DCG) is seeking a qualified intern to join the Software Security Review Board (SSRB) team as a Junior Product Security Test Engineer (Ethnical Hacker). The SSRB is dedicated to enhancing the security of Lenovo DCG products for our customers. Projects will include configuring security test targets such as servers, storage, and networking environments; performing product security assessments; creating assessment reports; and working with global product teams to review assessment results.

– Setup, configure, and use security tools such as AppAudit, Arachni, Burp Suite Pro, CHIPSEC, nmap, Nessus, Protecode SC, and Metasploit to perform SSRB security assessments

 

https://lenovoworldwide.rolepoint.com/?shorturl=YJvM8&sourceType=PREMIUM_POST_SITE#job/ahBzfnJvbGVwb2ludC1wcm9kchALEgNKb2IYgIDQ0J3Z6ggM

 

CVE-2017-3753: AMI Lenovo UEFI SMM vulnerability

Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.

BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753

Lenovo Security Advisory: LEN-14695
Severity: High
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017

Potential Impact: Execution of code in SMM by an attacker with local administrative access

A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)

https://nvd.nist.gov/vuln/detail/CVE-2017-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3753
https://support.lenovo.com/us/en/product_security/len-14695
AFAICT nothing on the AMI site on this.

Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)

Today Intel announced a NEW AMT security advisory:

Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017

Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr

 

automated-efi-fw-update

automattically update server and adapter firmware using efi shell

This Updatepack automates and simplifies the update process of Intel Servers and Adapters. […] Supported Devices:

Intel S2600WT Server Board Family
Intel RMS3JC080 RAID Controller
Intel RMS3CC080 RAID Controller
Intel RES3TV360 SAS Expander
QLogic BR1860-2 Converged Network Adapter
Lenovo N2225 SAS Host Bus Adapter

https://github.com/thost96/automated-efi-fw-update

Careful, this Github project includes some binary-only *.EFI files, no source code included.

Lenovo USB malware

IBM Storwize for Lenovo initialization USB drives contain malware
Lenovo Security Advisory: LEN-14957
Potential Impact: Malware infection on system used to launch initialization tool
Severity: Medium

Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems. When the initialization tool is launched from the USB flash drive onto a computer used for initial configuration, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation. With that step, the malicious file is copied with the initialization tool to the following temporary folder:

On Windows systems: %TMP%\initTool
On Linux and Mac systems: /tmp/initTool

Important:  While the malicious file is copied onto the computer, the file is not executed during initialization and is not run unless a user manually executes it. The infected file does not affect the IBM Storwize for Lenovo system. The initialization tool is only used to write a text file on the USB key, which is then read by Storwize, which will then write a separate text file onto the key. At no point during the time that the USB thumb drive is inserted in the Storwize system is any information copied from the thumb drive directly to the Storwize system, nor is any code executed on the Storwize system.  

The affected Initialization USB flash drive looks like the images below, and contains a folder called InitTool.[…]

 

https://support.lenovo.com/us/en/product_security/len-14957

 

Lenovo: AMI BIOS SMM vulnerability

Lenovo Security Advisory: LEN-4710
Potential Impact:  Execution of code in SMM by an attacker with administrative access
Severity: Medium
Scope of impact: Industry-wide

Summary Description: System Management Mode (SMM) is the most privileged execution mode of the x86 processor. Software System Management Interrupt (SWSMI) handlers are used by software to call on BIOS functions that reside within the SMM. A vulnerability has been identified in one of the SWSMI handlers in the BIOS code from American Megatrends Inc. (AMI) used on some Lenovo systems. This could allow a malicious attacker with administrative access to execute code in the SMM and bypass some BIOS security mechanisms and install software with bootkit functionality. Mitigation Strategy for Customers (what you should do to protect yourself): Update your BIOS level to the latest version by following the instructions in the readme file. This issue only affects Lenovo products with BIOS firmware from AMI. Brands not listed, such as ThinkPad, do not use AMI firmware and are not affected by this vulnerability. Lenovo thanks Bruno Pujos of Sogeti ESEC R&D for reporting this issue.[…]

More info:

http://esec-lab.sogeti.com/posts/2016/05/30/smm-unchecked-pointer-vulnerability.html

https://support.lenovo.com/us/en/product_security/len_4710

CVE-2016-8226, Lenovo UEFI DoS

CVE Identifier: CVE-2016-8226
Access Vector: Network exploitable
Access Complexity: Low
Original release date: 01/26/2017

The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.

 

Lenovo Security Advisory: LEN-11306
Denial of service attack on Lenovo System X M5, M6, and X6 systems
 
A vulnerability was identified in the BIOS of Lenovo System X M5, M6, and X6 systems. An attacker with administrative access to a system can cause a denial of service attack on the system by updating a UEFI data structure. After this occurs, the system will not complete POST (Power-On Self-Test) , hang at the Lenovo splash screen, and fail to boot. This issue was inadvertently encountered in an update to Microsoft Windows Server 2012, Windows Server 2012R2 and Windows Server 2016 (see https://support.lenovo.com/us/en/solutions/ht502912 for details). However, systems running any operating system are vulnerable. Lenovo strongly recommends installing this update. Mitigation Strategy for Customers (what you should do to protect yourself):[…]
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8226

https://support.lenovo.com/us/en/solutions/LEN-11306

 

Lenovo’s Think BIOS Config Tool

http://thinkdeploy.blogspot.com/2017/01/thinkpad-bios-to-uefi-conversion-using.html?spref=tw

https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

Some related Lenovo BIOS tools:
https://support.lenovo.com/us/en/documents/ht100612
http://support.lenovo.com/us/en/downloads/ds014169
http://support.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-l-series-laptops/thinkpad-l420/downloads/ds019499

[I confess still not understanding what this “BIOS to UEFI” thing that Windows admin tools now have. Is it switching from Legacy to UEFI firmware then redoing the OS bits to handle that? Why are these boxes using Legacy  mode in the first place? Oh well.]