Security News > 2022 > November > Lenovo fixes flaws that can be used to disable UEFI Secure Boot
Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot.
UEFI Secure Boot is a verification system that ensures no malicious code can be loaded and executed during the computer boot process.
The problem arises from Lenovo mistakenly including an early development driver that could change secure boot settings from the OS in the final production versions.
The presence of these drivers in multiple Lenovo products was discovered by ESET researchers, who reported it to the computer vendor.
"The affected drivers were meant to be used only during the manufacturing process but were mistakenly included in the production," explains the Twitter thread by ESET. ESET says that the vulnerabilities can be exploited simply by creating special NVRAM variables and shared a link to a Twitter thread by Nikolaj Schlej that explains why UEFI firmware developers should not use NVRAM as trusted storage.
Owners of supported Lenovo computers can check the model list on the vendor's security bulletin to determine if either flaw impacts them.