Cybersecurity firm ESET’s researchers have identified a vulnerability affecting Acer laptops. The bug isn’t new, as ESET already discovered it affecting Lenovo models, whereas this time, it is impacting several models of Acer laptops.
Lenovo fixed the issue and published a technical advisory. However, the bug allows attackers to install malware on the device by letting them disable Secure Boot and bypass security mechanisms.
Vulnerability Details
ESET assigned the vulnerability a CVSS score of 8.1 and tracked it as CVE-2022-4020. It was discovered in the HQSwSmiDxe DXE driver that checks the ‘BootOrderSecureBootDisable’ NVRAM variable for deactivating UEFI (Unified Extensible Firmware Interface) Secure Boot.
In addition to #Lenovo vulnerabilities we disclosed earlier this month, we discovered another similar vulnerability in #Acer laptops. Same as in Lenovo case, it allows deactivating UEFI Secure Boot by creating NVRAM variable directly from OS. @smolar_mhttps://t.co/zsDjKGIAjQ 1/3
— ESET research (@ESETresearch) November 28, 2022
Disabling this feature lets the attacker load their “own unsigned malicious bootloader” so as to gain complete control over the OS loading procedure. Moreover, they can bypass or disable protections to discreetly install malicious payloads, ESET advisory read.
“Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable,” researchers explained. NVRAM refers to non-volatile random-access memory variables.
Acer’s Explanation
For your information, UEFI is responsible for kickstarting a computer’s hardware while the OS loads. The Secure Boot process has to ensure that malicious code doesn’t get loaded when the device is booting.
On November 23rd, 2022, Acer explained that the bug lets the attacker tamper with this mechanism’s settings by creating NVRAM variables. This happens because the firmware driver just checks for the variables’ presence and not their actual value.
At least five models of Acer computers are impacted by this bug, including A315-22, A115-21, A315-22G, Extensa EX215-21, and EX215-21G. Acer is currently trying to resolve the issue with a BIOS update, which will be posted on its Support site soon and will be included as a Critical Windows Update. The company recommends users update to the latest BIOS version.