Since it is non-volatile, it is a high-level target for threat actors. An administrator could erase a device's hard drive, install another operating system, and the memory would not be changed by the procure. The memory is independent of the operating system, which means that it remains even if the operating system is reinstalled or another system is installed. It is connected to the processor via the Serial Peripheral Interface (SPI). UEFI firmware is usually stored on the in an embedded flash memory chip on the computer's motherboard. The vulnerability CVE-2021-3971 can be exploited to disable SPI protections on Lenovo devices. Lenovo published the security advisory on April 18 and ESET its findings and details a day later. Lenovo confirmed the vulnerabilities in November 2021 and requested a postponing of the public disclosure date to April 2022.
Security company ESET reported the vulnerabilities to Lenovo in October 2021.
0 kommentar(er)
