Something to check out if you own one of the devices mentioned in the article:
now, reading that, 3 potential vulnerabilities, the first requires local access with elevated privileges, the other 2 elevated privileges (one to mod secure boot) - the first isn’t an issue really, the third seems a bit windowy too (secure boot and all that), the second, well sudo is elevated (and without an OS, there isn’t connection to the outside World generally), so does that mean its not really worth losing sleep over? Having a quick read of this lot, it comes across as something that needs to be done on a working machine, that then gets enacted after a reboot to load a driver thats monkey’s with secure boot etc. As this would require sticking a password in for linux to begin with, looks like another load of winblows bs.
Ok, I own one of the Lenovo devices mentioned in the article. Should I really be worried about it or is this again one of those news that concern only windows users?
Mine’s okay…i always keep my UEFI Firmware updated.
So I guess I am skipping Lenovo laptops…
May I ask how do you update uefi firmware in linux? When I googled about this it sounded quite complicated…
ESET, the security company that discovered the vulnerabilities and reported them to Lenovo, discovered that two of the vulnerabilities affect UEFI firmware drivers that were meant only for use in the manufacturing process. It appears that Lenovo did not deactivate these properly in production devices.
hmm now i want one of them to play…
- Linux: Visit pcsupport.lenovo.com, select the product > click Drivers & software → Manual Update. Check to see if there are any Linux drivers for your system (search for Linux in the search box).
what will show “There are no results for your search. Please try again.” in 99% of cases …
You will need windows or something like hiren rescue cd …
The updates to my Lenovo laptop firmware come in form of .exe files. I use:
which boots into a Windows preinstallation environment. I run the .exe file that I have saved on a usb stick from there.
As usual, please do your own research.
Interesting. Maybe I will study this a bit more…
I still have Windows on my lenovo laptop which has an application called Lenovo Advantage. It can check for Windows updates and verify if there are UEFI Firmware (Bios) updates available and can also update it. Otherwise you need some kind of Windows boot rescue disc like hirens rescue on usb.
Edit: On my desktops they are able to update UEFI Firmware (Bios) from the UEFI setup screen. I have never updated BIos or UEFI Firmware from Linux directly so i can’t really comment on that. I know it can be done but i stick to methods I’m familiar with that work. I have never had an issue in 30+ years of doing it. One day maybe I’ll try a Linux utility to do it.
When I checked again that list of Lenovo devices which are affected I actually saw that maybe I don’t have to be worried after all. My laptop is IdeaPad 5 Pro 14ACN6 and the closest model I saw was ideapad 5-15ARE05. So I’m safe, right?
When I read more about updating UEFI Firmware in Iinux I came to conclusion that it could be dangerous if you don’t know what you’re doing…
My Lenovo X1 Carbon is supported by fwupd. https://wiki.archlinux.org/title/Fwupd
I assume many other Lenovo devices are supported too.
Updating is done by issuing the following commands:
fwupdmgr get-devices fwupdmgr refresh fwupdmgr get-updates fwupdmgr update
Available updates will be installed during next reboot. Power supply needs to be plugged in.
All systems have some sort of vulnerability, skipping them won’t save you, Dell for instance had something worse fairly recently. Just assume your system isn’t secure and keep up on information about it.
Edit: one of the 2 rather severe dell vulnerabilities recently https://threatpost.com/dell-bios-attacks-rce/167195/
I know dell and HP systems you can just toss the exe on a DOS usb and execute it from there and let it do its thing. Id imagine lenovo might be similar. Its not usually too complicated but I can’t say for sure here.
I have never used the fwupd? Does this work on any laptop on Arch based linux?
Edit: Sorry, I see the Arch wiki and lists supported devices.
I thought the downloaded files are Windows executable? How can you do that on Linux?
Thanks. That was useful information. Unfortunately my Ideapad was not amongst those supported devices.
DOS can execute exe files as long as they’re DOS compatible. Dell/HP bios update exe all work in DOS AFAIK, not 100% on lenovo. You make a FreeDOS USB and can use that for updates.