Lenovo - if it's on your network, you ARE breached.

travisdh1

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Let's break the topic of SMM out on its own and I'll participate as I'm able.

This is why I felt we needed a thread dedicated to just how bad Lenovo actually is. While many threads preceded it, more will follow!

scottalanmiller

@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Let's break the topic of SMM out on its own and I'll participate as I'm able.

This is why I felt we needed a thread dedicated to just how bad Lenovo actually is. While many threads preceded it, more will follow!

Right, and it needs to be collected because, as we've seen already, later breaches often cover up earlier ones.

Dashrender

Sure, but the SMM issue is really outside of Lenovo because all PC makers can use it.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Sure, but the SMM issue is really outside of Lenovo because all PC makers can use it.

Can use it and do use it are different issues, but both are important as well.

Dashrender

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Sure, but the SMM issue is really outside of Lenovo because all PC makers can use it.

Can use it and do use it are different issues, but both are important as well.

Many do use it to deploy Compu Trace as previously mentioned.

Dashrender

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!

Is it a windows rootkit? Or is it using built in tech by MS and BIOS/UEFI makers as a deployment method?

It's MS encouraged UEFI rootkit. The rootkit was in firmware. It was only activated against Windows before getting caught. Linux would have been rooted the same though.

Should it have? MS specifically has hooks for working with these BIOS/UEFI hooks, do any Linux distorts do this?

Unless you're saying it was taking advantage of a security flaw in Windows and Linux that isn't/can't be patched?

AFAIK this particular exploit, being on the firmware, could make changes to any OS sitting on top of it, similar to getting a rootkit on your hypervisor would do. Windows hooks would help make that easier, but I don't believe that it is required to make it possible.

That's just it though - this is NOT an exploit. This is a system design, a design specifically in the BIOS/UEFI.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!

Is it a windows rootkit? Or is it using built in tech by MS and BIOS/UEFI makers as a deployment method?

It's MS encouraged UEFI rootkit. The rootkit was in firmware. It was only activated against Windows before getting caught. Linux would have been rooted the same though.

Should it have? MS specifically has hooks for working with these BIOS/UEFI hooks, do any Linux distorts do this?

Unless you're saying it was taking advantage of a security flaw in Windows and Linux that isn't/can't be patched?

AFAIK this particular exploit, being on the firmware, could make changes to any OS sitting on top of it, similar to getting a rootkit on your hypervisor would do. Windows hooks would help make that easier, but I don't believe that it is required to make it possible.

That's just it though - this is NOT an exploit. This is a system design, a design specifically in the BIOS/UEFI.

Obviously that the system is designed that way has no bearing on it being an exploit.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Sure, but the SMM issue is really outside of Lenovo because all PC makers can use it.

Can use it and do use it are different issues, but both are important as well.

Many do use it to deploy Compu Trace as previously mentioned.

Right, as an exploit as is very clear. All kinds of well intentioned software can be exploited by bad actors. In fact, at the base of it, all code is based on chips and languages that were intended for good but exploited for other purposes.

https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700/

Dashrender

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Sure, but the SMM issue is really outside of Lenovo because all PC makers can use it.

Can use it and do use it are different issues, but both are important as well.

Many do use it to deploy Compu Trace as previously mentioned.

Right, as an exploit as is very clear. All kinds of well intentioned software can be exploited by bad actors. In fact, at the base of it, all code is based on chips and languages that were intended for good but exploited for other purposes.

https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700/

Wow, I hadn't heard that before, thanks.

travisdh1

Finally got a blog post up on this.

https://travisdh1.net/lenovo

dbeato

@travisdh1 Great article and read.

Texkonc

THis will be shared with the teams tomorrow.

scottalanmiller

https://www.theregister.co.uk/2019/08/23/lenovo_solution_centre_cve_2019_6177/

travisdh1

Posting so @Obsolesce will see this thread.

Obsolesce

@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

Posting so @Obsolesce will see this thread.

Thanks sport, I didn't see it over and over again here the last few years and missed all the thousands of media articles thrown all over the place.

travisdh1

@Obsolesce said in Lenovo - if it's on your network, you ARE breached.:

@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

Posting so @Obsolesce will see this thread.

Thanks sport, I didn't see it over and over again here the last few years and missed all the thousands of media articles thrown all over the place.

Yeah, and I get that you didn't pick the vendor. Exactly like I would never choose to sell Lenovo, yet that's most of what is sold through work.

DustinB3403

Just reading this article here and this is in it. . .

Still, while Torvalds likes the XPS 13, he's also fond of the latest Lenovo X1 Carbon, HP Spectre 13 x360, and last year's Lenovo Yoga 900. Me? I like the XPS 13 Developer Editor. The price tag, which for the model I reviewed was $1949.99, may keep you from reaching for your credit card.

Emad R

FYI Lenovo options are very cheap in the MENA region, so it's flooded there cause we are very price-sensitive people
(I'm starting to be white a bit... did I just say price-sensitive)

scottalanmiller

@Emad-R said in Lenovo - if it's on your network, you ARE breached.:

FYI Lenovo options are very cheap in the MENA region, so it's flooded there cause we are very price-sensitive people
(I'm starting to be white a bit... did I just say price-sensitive)

Same in LATAM, often the only available provider!

travisdh1

My apologies for resurrecting a long dead thread, but I just collected the links today because I've had multiple places I wanted to reference them this week.

https://www.cnet.com/how-to/lenovo-superfish-adware-uninstall-fix/
https://www.pcmag.com/article2/0,2817,2477277,00.asp
http://www.zdnet.com/article/lenovo-reportedly-blocking-linux-on-windows-10-signature-edition-pcs/
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment
https://mangolassi.it/topic/7748/lenovo-screws-the-pooch-yet-again-on-the-security-front
https://mangolassi.it/topic/5751/lenovo-accused-of-using-rootkit-like-methods-to-sneak-software-onto-clean-windows-installs
https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700/
https://www.theregister.co.uk/2019/08/23/lenovo_solution_centre_cve_2019_6177/

https://mangolassi.it/topic/14538/lenovo-if-it-s-on-your-network-you-are-breached/50