ESET researchers identified and analyzed three vulnerabilities in different Lenovo laptop models. The first two – CVE-2021-3971, CVE-2021-3972 – affects UEFI firmware drivers that were originally intended only for use in the manufacturing process of Lenovo consumer laptops. Unfortunately, they were accidentally included in the BIOS production images without being properly disabled.

An attacker can enable these firmware drivers to directly disable SPI flash protection or UEFI secure boot from privileged user operation.

The third vulnerability, issue CVE-2021-3970, allows arbitrary read/write from SMRAM, which could lead to malicious code execution with SMM privileges and potentially SPI flash implant insertion.

The problem is that the vulnerabilities affect more than a hundred different Lenovo laptop models. Considering the company’s sales, users have millions of laptops in their hands. However, some models will not receive any patches as their support period has expired. For example, Ideapad 330-15IGM and Ideapad 110-15IGR. Source