Millions of Lenovo Laptops Contain Firmware-Level Vulnerabilities

Three flaws present in consumer laptops can give attackers a way to drop highly persistent malware capable of evading methods to remove it, security vendor says.

More than 100 different Lenovo consumer laptop computers, used by millions of people worldwide, contain firmware-level vulnerabilities that give attackers a way to drop malware that can persist on a system even after a hard-drive replacement or operating system re-install.

Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) involve Unified Extensible Firmware Interface (UEFI) drivers that were meant for use only during the manufacturing process but inadvertently ended up being part of the BIOS image that shipped with the computers. The third (CVE-2021-3970) is a memory corruption bug in a function for detecting and logging system errors.

ESET discovered the vulnerabilities and reported them to Lenovo in October 2021. The hardware maker this week released BIOS updates addressing the flaws in all impacted models. However, users will have to install the updates manually unless they have Lenovo's automated tools to assist with the update.

UEFI firmware ensures system security and integrity when a computer is booting up. The firmware contains information that the computer implicitly trusts and uses while it boots up. So, any malicious code embedded in the firmware would execute before the computer even boots up and before security tools have had a chance to inspect the system for potential threats and vulnerabilities.

In recent years, a handful of malware tools have emerged that were designed to modify UEFI firmware to install malware during the supposedly secure boot-up process. One example is LoJax, a highly persistent firmware-level rootkit that ESET and others observed being deployed as part of a broader malware campaign by Russia's Sednit group. Another example is MoonBounce, a firmware level malware dropper that researchers from Kaspersky recently observed being used as part of a cyber espionage campaign.

Martin Smolár, malware analyst at ESET, says the two Lenovo drivers that were mistakenly included in the production BIOS without being properly deactivated give attackers a way to deploy similar malware on vulnerable Lenovo consumer devices.

"Exploitation of these vulnerabilities would allow attackers to directly disable crucial system security protections," Smolár says. Attackers with privileged access on a vulnerable system can simply activate the old firmware drivers and use them to turn off protections such as BIOS control register bits, protected range registers, and UEFI Secure Boot that prevent privileged users from making changes to system firmware. As a result, exploitation of these vulnerabilities would allow attackers to flash or modify firmware and execute malicious code, he says.

Meanwhile, CVE-2021-3970, the third vulnerability that ESET researchers discovered, allows arbitrary reads and writes from and into System Management RAM (SM RAM) — or memory that stores code with system management privileges. This gives attackers an opportunity to execute code with system management privileges on vulnerable systems, ESET said.

Lenovo did not respond to a Dark Reading request for comment. However, the company's advisory described the flaws as being of medium severity and enabling privilege escalation for attackers that exploited them. The company said CVE-2021-3970 resulted from insufficient validation in some Lenovo models. Lenovo attributed the other two vulnerabilities to its failure to deactivate and remove drivers that were used in older manufacturing processes.

The company's advisory provided instructions on where users with impacted devices can find the appropriate BIOS update and how they should install it.

Google Emergency Update Fixes Chrome Zero-Day

 

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Resolution and Mitigation for Apache Log4J Vulnerabilities

 

Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832). TIBCO is also aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

TIBCO Spotfire products that are affected by CVE-2021-44228 and CVE-2021-45046

TIBCO Spotfire Server

• TIBCO Spotfire Server < 7.9 is not affected (see Note 1 below)
• TIBCO Spotfire Server 7.9-10.9 is affected, mitigation is available
• TIBCO Spotfire Server 10.10 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Server 11.0-11.3 is affected, mitigation available
• TIBCO Spotfire Server 11.4 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Server 11.5 is affected, mitigation available
• TIBCO Spotfire Server 11.6 is affected, resolution (service pack) and mitigation available

TIBCO Spotfire Statistics Services

• TIBCO Spotfire Statistics Services <= 10.3.0 is not affected (see Note 1 below)
• TIBCO Spotfire Statistics Services 10.3.1 is affected, mitigation available
• TIBCO Spotfire Statistics Services 10.10 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Statistics Services 11.1-11.3 is affected, mitigation available
• TIBCO Spotfire Statistics Services 11.4 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Statistics Services 11.5 is affected, mitigation available
• TIBCO Spotfire Statistics Services 11.6 is affected, resolution (service pack) and mitigation available

TIBCO Spotfire Service for Python

• TIBCO Spotfire Service for Python 1.0 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Service for Python 1.1-1.2 is affected, mitigation available
• TIBCO Spotfire Service for Python 1.3 is affected, resolution (service pack) and mitigation available
• TIBCO Spotfire Service for Python 1.4 is affected, mitigation available
• TIBCO Spotfire Service for Python 1.5 is affected, resolution (service pack) and mitigation available

TIBCO Enterprise Runtime for R - Server Edition

• TIBCO Enterprise Runtime for R - Server Edition 1.0-1.2 is affected, mitigation available
• TIBCO Enterprise Runtime for R - Server Edition 1.3 is affected, resolution (service pack) and mitigation available
• TIBCO Enterprise Runtime for R - Server Edition 1.4-1.6 is affected, mitigation available
• TIBCO Enterprise Runtime for R - Server Edition 1.7 is affected, resolution (service pack) and mitigation available
• TIBCO Enterprise Runtime for R - Server Edition 1.8 is affected, mitigation available
• TIBCO Enterprise Runtime for R - Server Edition 1.9 is affected, resolution (service pack) and mitigation available

TIBCO Spotfire products that are not affected

• TIBCO Spotfire Analyst
• TIBCO Spotfire Automation Services
• TIBCO Spotfire Qualification
• TIBCO Spotfire Business Author
• TIBCO Spotfire Consumer
• TIBCO Spotfire Desktop

Note 1:

If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

 

Note 2:

The denial of service vulnerability CVE-2021-45105 is related to certain logging patterns with context lookups. No TIBCO Spotfire products use patterns with context lookups out of the box. However, if a customer has added such a pattern, this must be reverted. Please refer to Apache Log4j Security Vulnerabilities (https://logging.apache.org/log4j/2.x/security.html) for more information. Update: New releases and service packs containing log4j version 2.17.1, where that issue has been addressed,  were released on February 2, 2022. 

 

Note 3:

Spotfire is unaffected by vulnerability CVE-2021-44832 as it requires that the attacker can modify the log configuration file. Only trusted administrators have file system access to the TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Service for Python, and TIBCO Enterprise Runtime for R - Server Edition products.  Update: New releases and service packs containing log4j version 2.17.1, where that issue has been addressed,  were released on February 2, 2022.

Resolution

Resolution

December 21: The following Service packs (updating Log4j2 to version 2.16.0) for Mainstream and LTS versions are now available for download from the TIBCO eDelivery site (https://edelivery.tibco.com). Upgrade to these service packs which contain a fix for CVE-2021-45046 (as well as CVE-2021-44228, which was addressed in the previous service packs):  

• TIBCO Spotfire Server 11.6.3, 11.4.4, 10.10.9 
• TIBCO Spotfire Statistics Services 11.6.2, 11.4.4, 10.10.7
• TIBCO Spotfire Service for Python 1.5.2, 1.3.3, 1.0.5
• TIBCO Enterprise Runtime for R - Server Edition 1.9.2, 1.7.3, 1.3.5 

Services packs have been released for the latest Mainstream version and the current LTS versions which have not had end of support announced. Versions 11.6, 11.4 and 10.10 are the only versions currently receiving service packs. See Overview of TIBCO Spotfire Releases – Mainstream and LTS (Long-Term Support) for more information about this.

If one of the earlier service packs released on December 14 (not related to log4shell) and December 15 (only addressing CVE-2021-44228) have been installed, make sure to upgrade to these latest service packs as well. 

See the product documentation for instructions on the upgrade procedure.  

Mitigation

See the attached document "Spotfire Mitigation for Log4Shell.pdf" for mitigation steps if upgrading to the latest service packs that address the issues (recommended) is not an option. These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.

Note: Version 1.x of the mitigation document described a mitigation strategy that was based on setting the log4j2.formatMsgNoLookups Java option. While that mitigation did limit exposure it was found to be incomplete and was retracted by The Apache Software Foundation. Note that there is no reason to revert any such mitigations that have been made, but make sure to follow the latest mitigation instructions.

 

Reference

TIBCO's Apache Log4J Vulnerability Daily Update

• https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update

Chinese hackers are using VLC media player to launch malware attacks

 

VLC is a super-popular media player for good reason: It's free, open source, and available on just about every platform imaginable. Plus, it can handle basically any audio or video file you throw at it. VLC is also light on resources, meaning it won't slow down your Windows computer — unless, perhaps, it's hiding malicious software. A new report indicates that's entirely possible, due to the efforts of a notorious Chinese hacking gang.

Symantec's cybersecurity experts say a Chinese hacking group called Cicada (aka Stone Panda or APT10) is leveraging VLC on Windows systems to launch malware used to spy on governments and related organizations. Additionally, Cicada has targeted legal and non-profit sectors, as well as organizations with religious connections. The hackers have cast a wide net, with targets in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

According to Symantec, Cicada grabs a clean version of VLC and drops a malicious file alongside the media player's export functions. It's a technique that hackers frequently rely on to sneak malware into what would otherwise be legitimate software. Cicada then uses a VNC remote-access server to fully own the compromised system. They can then evade detection using hacking tools like Sodamaster, which scans targeted systems, downloads more malicious packages, and obscures communications between compromised systems and the hackers' command-and-control servers.

The VLC attacks — which Symantec believes may be ongoing — began in 2021 after hackers exploited a known Microsoft Exchange server vulnerability. Researchers indicate that while the mysterious malware lacks a fun, dramatic name like Xenomorph or Escobar, they are certain it's being used for espionage — Cicada's focus hints that this guess is correct. While the group has gone after the healthcare industry in the past, it's also been attacking the defense, aviation, shipping, biotechnology, and energy sectors.