- #PNY MASS STORAGE DEVICE DRIVER WINDOWS 10 DRIVERS#
- #PNY MASS STORAGE DEVICE DRIVER WINDOWS 10 UPDATE#
- #PNY MASS STORAGE DEVICE DRIVER WINDOWS 10 CODE#
"All of the real-world UEFI threats discovered in the last year's LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy needed to bypass or disable the security mechanisms in some way in order to be deployed and executed," says Smolr.ĮSET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware by following the manufacturers instructions.
#PNY MASS STORAGE DEVICE DRIVER WINDOWS 10 CODE#
Otherwise, the attacker could pass specially crafted input data to the SMI handler, which can result in SMRAM memory corruption and subsequent arbitrary code execution with SMM privileges. These handler functions sometimes process data from untrusted sources (e.g., from OS) and therefore, data should be properly validated before its used. Platform firmware handles invoked SMIs by functions called SMI handlers. When a processor enters SMM execution mode, it has access to the special memory range (referred to as SMRAM), which is hardware-protected against access from non-SMM execution mode. To enter this SMM execution mode, a special System Management Interrupt (SMI) needs to be triggered. System Management Mode (SMM) is a special highly privileged processor execution mode (even more privileged than OS kernel or Hypervisor). UEFI variables are a special firmware storage mechanism used by UEFI modules to store various configuration data, including boot configuration.
#PNY MASS STORAGE DEVICE DRIVER WINDOWS 10 DRIVERS#
The UEFI boot and runtime services provide the basic functions and data structures necessary for the drivers and applications to do their job, such as installing protocols, locating existing protocols, memory allocation, UEFI variable manipulation, etc. An UEFI malware that resides on the SPI flash is often referred to as SPI flash implant or UEFI rootkit.
To protect this storage against unauthorised modification, chipset provides special protection mechanisms like BIOS Control Register or Protected Range Registers. SPI flash is a small memory chip located on the computers motherboard and is often used as a storage for a platform firmware code, including UEFI firmware. This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant. In addition, while investigating binaries affected by CVE-2021-3971 and CVE-2021-3972, ESET discovered the third vulnerability: SMM memory corruption inside the SMI handler function (CVE-2021-3970).
These affected firmware drivers can be activated by an attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. The first two of these vulnerabilities CVE-2021-3971, CVE-2021-3972 affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. "Our discovery demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last year suggests that adversaries are aware of this," he says. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed," says ESET researcher Martin Smolr, who discovered the vulnerabilities. "UEFI threats can be extremely stealthy and dangerous. Altogether, the list of affected devices contains more than one hundred different laptop models with millions of users worldwide. Researchers at ESET have discovered three vulnerabilities affecting various Lenovo consumer laptop models.Īccording to the cybersecurity firm, exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implant such as LoJax or UEFI bootkit.ĮSET reported all discovered vulnerabilities to Lenovo in October 2021.