[BRLY-2021-002] Lenovo system firmware has missing coverage with Boot Guard protected ranges (IBB) for UEFI modules

Summary

Binarly REsearch Team identified several Lenovo devices do not properly protect UEFI system firmware modules with Intel Boot Guard technolody (missing protection coverage Boot Guard IBB hash), which allows an attacker with write access to the SPI flash storage (such as with physical access or leveraging a BIOS write protection bypass vulnerability) to install a persistent backdoor/implant.

Vulnerability Information

• BINARLY internal vulnerability identifier: BRLY-2021-002
• Lenovo PSIRT assigned CVE identifier: LEN-65529 (CVE-2021-3453)

Product description

Multiple Lenovo product lines is affected by this issue:* Lenovo ideacentre AIO is line of all-in-one PC designed for heavy workloads* Lenovo ThinkPad is a line of business-oriented laptops and tablets* Lenovo V110-15ISK, V310-14ISK, V310-15ISK are business-oriented laptops

Affected products with confirmed impact by Binarly REsearch Team

• o4vjy28usa O4VKT28A / ideacentre AIO 5-27IMB05 Desktop
• o4ujy27usa O4UKT27A / ideacentre AIO 5-24IMB05 Desktop
• r0puj32w   1.44 (R0PET67W) / ThinkPad E480, E580
• r0buj23ww  1.28 (R0BET43W) / ThinkPad 11e (Type: 20G9, 20GB), Yoga 11e (Type: 20G8, 20GA)
• r0luj20ww  1.21 (R0LET36W) / ThinkPad 11e 4th Gen, Yoga 11e 4th Gen (for i-based processors such as i3, i5, i7 & etc)
• r0cuj25w   1.35 (R0CET47W) / ThinkPad 13
• r0juj22w   1.29 (R0JET44W) / ThinkPad 13 2nd Gen
• r0yuj22w   1.29 (R0YET46W) / ThinkPad E490, E490s, E590
• n17uj59w   2.12 (N17ETB2W) / ThinkPad Helix (Type 20CG, 20CH)
• r16uj12w   1.15 (R16ET29W) / ThinkPad E14, E15
• r0quj26w   1.40 (R0QET63W) / ThinkPad L480, L580
• n11uj20w   1.28 (N11ET52W) / ThinkPad T550, W550s
• r0muj24w   1.28 (R0MET51W) / ThinkPad S5 2nd Gen
• n14uj30w   1.32 (N14ET54W) / ThinkPad X1 Carbon (Type 20BS, 20BT)
• n10uj27w   1.40 (N10ET61W) / ThinkPad X250
• n19uj32w   1.37 (N19ET64W) / ThinkPad Yoga 15
• r18uj06w   1.08            / ThinkPad 11e Yoga Gen 6 (Type 20SE 20SF) Laptop
• 1kcn51ww   1KCN51WW        / Lenovo V110-15ISK
• 0zcn52ww   0ZCN52WW        / Lenovo V310-14ISK, V310-15ISK

Potential impact

An attacker with write access to the SPI flash storage (such as with physical access or leveraging a BIOS write protection bypass vulnerability) is able to overwrite the unprotected (unsigned) modules and add an arbitrary functionality, which can be a firmware backdoor/implant.

Vulnerability description

Bootguard defines several ways of protecting the UEFI modules and verifying their integrity/authenticity during the boot process, such as Initial Boot Block (IBB) segments and Vendor Hash File protected ranges. The products by Lenovo mentioned above do not properly include several FFS volumes with SMM/DXE executables into those ranges.As an example, Lenovo V310-14ISK only defines 3 IBB segments (Address: FFE10000h Size: 00020000h, Address: FFEE0000h Size: 00100000h, Address: FFFE0000h Size: 00020000h), which cover 3 FFS volumes, leaving other FFS volumes with executable files unprotected from malicious tampering. UEFITool output:

BootGuard ACM found at base 6D8318h
...
------------------------------------------------------------------------

Intel BootGuard Key manifest found at base 6D5318h
...
------------------------------------------------------------------------

...

IBB Segments:
Flags: 0000h Address: FFE10000h Size: 00020000h
Flags: 0000h Address: FFEE0000h Size: 00100000h
Flags: 0000h Address: FFFE0000h Size: 00020000h

Details of protected and unprotected FFS volumes and executable files from UEFITool:

  Type  |      Subtype  |   Base   |   Size   |   Name 
 ...
 Image      | UEFI          | 00000050 | 0088DD00 | - UEFI image
 ...                                                         Unprotected FFS volume ↓
 Volume     | FFSv2         |   N/A    | 00058000 | -------- B92CF322-8AFA-4AA4-B946-005DF1D69778 
 ...                                                          Unprotected modules below↓
 File       | SMM module    |   N/A    | 00002D02 | ---------CDC11AE9-01E7-42CB-88EB-FDFFD8819893
       | TcgLegacy
 Section    | MM dependency |   N/A    | 0000005E | ---------- MM dependency section
 Section    | PE32 image    |   N/A    | 00002C64 | ---------- PE32 image section
 Section    | UI            |   N/A    | 00000018 | ---------- UI section
 Section    | Version       |   N/A    | 0000000E | ---------- Version section
 ...
 Free space |               |   N/A    | 00000620 | --------- Volume free space
 Free space |               | 000F86D0 | 000C7C48 | ----- Volume free space
 Volume     | FFSv2         | 001C0318 | 00450000 | ---- EfiFirmwareFileSystem2Guid
 File       | Volume image  | 001C0360 | 001FDEC4 | ----- 9E21FD93-9C72-4C15-8C4B-E77F1DB2D792
 Section    | GUID defined  | 001C0378 | 001FDEAC | ------ LzmaCustomDecompressGuid
 Section    | Raw           |   N/A    | 0000000C | ------- Raw section
 Section    | Volume image  |   N/A    | 00834004 | ------- Volume image section
 ...                                                         Unprotected FFS volume ↓
 Volume     | FFSv2         |   N/A    | 00834000 | -------- A881D567-6CB0-4EEE-8435-2E72D33E45B5
 ...                                                          Unprotected modules below↓
 File       | Freeform      |   N/A    | 0000005C | --------- AprioriDxe | DXE apriori file
 Section    | Raw           |   N/A    | 00000044 | ---------- Raw section
 ...
 File       | Freeform      | 003BE228 | 00002DFF | ----- DAB78572-E8D1-4C3F-9A1E-F27E9CAF686D
 Section    | Raw           | 003BE240 | 00002DE7 | ------ Raw section
 Free space |               | 003C1028 | 0024F2F0 | ----- Volume free space
 ...                                                     Protected FFS volume ↓
 Volume     | FFSv2         | 00610318 | 00020000 | ---- 8579D1CA-45E8-4F1C-A789-FFA770672099
 File       | PEI module    | 00610390 | 000044A4 | ----- PlatformInit | PlatformInit
 Section    | PEI dependency| 006103A8 | 00000028 | ------ PEI dependency section
 Section    | GUID defined  | 006103D0 | 00004464 | ------ LzmaCustomDecompressGuid
 Section    | PE32 image    |   N/A    | 00015CA4 | ------- PE32 image section
 Section    | UI            |   N/A    | 0000001E | ------- UI section
 Section    | Version       |   N/A    | 0000000E | ------- Version section
 ...
 Free space |               | 0062D6C0 | 00002C58 | ----- Volume free space
 ...                                                     Protected FFS volume ↓
 Volume     | FFSv2         | 006E0318 | 00100000 | ---- B73FE497-B92E-416E-8326-45AD0D270091
 ...
 Free space |               | 007B16F8 | 0002EC20 | ----- Volume free space
 ...                                                     Protected FFS volume ↓
 Volume     | FFSv2         | 007E0318 | 00020000 | ---- BA34AA5B-110E-4B10-B729-E559EFD075D3
 File       | Pad           | 007E0390 | 00000070 | ----- Pad-file
 File       | PEI core      | 007E0400 | 000054DA | ----- PeiCore | PeiCore
 Section    | Raw           | 007E0418 | 0000001C | ------ Raw section
 Section    | PE32 image    | 007E0434 | 00005484 | ------ PE32 image section
 Section    | UI            | 007E58B8 | 00000014 | ------ UI section
 Section    | Version       | 007E58CC | 0000000E | ------ Version section

The following firmware images have unprotected FFS volumes with DXE/SMM executables:

o4vjy28usa O4VKT28A / ideacentre AIO 5-27IMB05 Desktop:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5
Volume GUID: 1B5C27FE-F01C-4FBC-AEAE-341B2E992A17
Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099
Volume GUID: 1B5C27FE-F01C-4FBC-AEAE-341B2E992A17
Volume GUID: B73FE497-B92E-416E-8326-45AD0D270091
Volume GUID: 52F1AFB6-78A6-448F-8274-F370549AC5D0
Volume GUID: BA34AA5B-110E-4B10-B729-E559EFD075D3

o4ujy27usa O4UKT27A / ideacentre AIO 5-24IMB05 Desktop:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5
Volume GUID: 1B5C27FE-F01C-4FBC-AEAE-341B2E992A17
Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099
Volume GUID: 1B5C27FE-F01C-4FBC-AEAE-341B2E992A17
Volume GUID: B73FE497-B92E-416E-8326-45AD0D270091
Volume GUID: 52F1AFB6-78A6-448F-8274-F370549AC5D0
Volume GUID: BA34AA5B-110E-4B10-B729-E559EFD075D3

r0puj32w   1.44 (R0PET67W) / ThinkPad E480, E580:

Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099

r0buj23ww  1.28 (R0BET43W) / ThinkPad 11e (Type: 20G9, 20GB), Yoga 11e (Type: 20G8, 20GA):

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778

r0luj20ww  1.21 (R0LET36W) / ThinkPad 11e 4th Gen, Yoga 11e 4th Gen (for i-based processors such as i3, i5, i7 & etc):

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5
Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099

r0cuj25w   1.35 (R0CET47W) / ThinkPad 13

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

r0juj22w   1.29 (R0JET44W) / ThinkPad 13 2nd Gen

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5
Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099

r0yuj22w   1.29 (R0YET46W) / ThinkPad E490, E490s, E590:

Volume GUID: 1B5C27FE-F01C-4FBC-AEAE-341B2E992A17

n17uj59w   2.12 (N17ETB2W) / ThinkPad Helix (Type 20CG, 20CH):

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

r16uj12w   1.15 (R16ET29W) / ThinkPad E14, E15:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778

r0quj26w   1.40 (R0QET63W) / ThinkPad L480, L580:

Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099 (starting from CpuMpPei)

n11uj20w   1.28 (N11ET52W) / ThinkPad T550, W550s:

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

r0muj24w   1.28 (R0MET51W) / ThinkPad S5 2nd Gen:

Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099

n14uj30w   1.32 (N14ET54W) / ThinkPad X1 Carbon (Type 20BS, 20BT):

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

n10uj27w   1.40 (N10ET61W) / ThinkPad X250:

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

n19uj32w   1.37 (N19ET64W) / ThinkPad Yoga 15:

Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

r18uj06w   1.08            / ThinkPad 11e Yoga Gen 6 (Type 20SE 20SF) Laptop:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5
Volume GUID: 8579D1CA-45E8-4F1C-A789-FFA770672099

1kcn51ww   1KCN51WW        / Lenovo V110-15ISK:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

0zcn52ww   0ZCN52WW        / Lenovo V310-14ISK, V310-15ISK:

Volume GUID: B92CF322-8AFA-4AA4-B946-005DF1D69778
Volume GUID: A881D567-6CB0-4EEE-8435-2E72D33E45B5

Solution

Properly define protected ranges via IBB or vendor hash files to include all executable files (PEI/DXE/SMM)

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Acknowledgements

Binarly REsearch Team

References

• Betraying the BIOS: Where the Guardians of the BIOS are Failing
• Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software
• Who Watch BIOS Watchers?