Certain BIOS versions may include an AMI Test Key that could compromise Secure Boot protections

Certain BIOS versions may include an AMI Test Key that could compromise Secure Boot protections

Certain BIOS versions may include an AMI Test Key that could compromise Secure Boot protections

Lenovo Security Advisory: LEN-7806

Potential Impact:  Secure boot may be compromised by an attacker with local access

Severity:  High

Scope of Impact: Lenovo-specific

 

Summary Description:

Secure Boot is a security standard to help make sure that your PC boots using only trusted software. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC will boot into the trusted operating system.

A test certificate or “test key” was mistakenly included in the BIOS versions of some Lenovo systems running AMI BIOS firmware. This could cause Secure Boot to not function as expected on affected systems and could allow an attacker with local or physical access to the system to be able to boot the system with software that is not on the trusted boot list.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

If users are running an affected BIOS version, they need to update their BIOS to the fixed version. Also, even if the system is currently running the latest unaffected BIOS version, if the system was shipped with the affected BIOS version, it may still be affected.

To determine if your specific system is affected, you can run the Microsoft PowerShell script available here.  If the system contains the test key, this script will output a message saying "System is using the AMI Test certificate" and you should follow the steps below.

Once the system is running with an unaffected BIOS version, the following steps must be performed to replace the test key with a valid key:

       1. Temporarily suspend or disable Bitlocker, if enabled

            - For Windows 8, click Start, type “manage bitlocker” then select it from the resulting list, and select “Turn off BitLocker” if it is on.

            - For Windows 10 click Start , type “manage bitlocker” then select it from the resulting list, click System and Security, and then click BitLocker Drive Encryption.  Select               "Turn off BitLocker" if it is on.

       2. Enter the BIOS SETUP interface when the system is booting to update manually. Refer to your system’s documentation for instructions on entering the BIOS SETUP interface.

       3. Go to Security -> Security Boot

       4. Press "Enter" at "Reset To Setup mode" item to reset platform to setup mode 

       5. Press "Enter" at "Restore Factory Keys" item to change the Secure Boot status back to User mode 

       6. Save the setting and exit SETUP interface. 

       7. Re-enable Bitlocker if desired

Product Impact:

This issue only affects some Lenovo products with BIOS firmware provided by AMI. Affected products are listed below.  Brands not listed, such as ThinkPad and IdeaPad, do not use AMI firmware and are not affected by this vulnerability.

To see if your specific system is affected, run the Microsoft PowerShell script available here.

Please click for more info.

ThinkCentre

ThinkServer

ThinkStation

Acknowledgements: 

Lenovo thanks Jan Schermer for reporting this issue.

Other information and references:

CVE-2016-5247

https://technet.microsoft.com/en-us/library/hh824987.aspx

 

Revision History:

Revision Date Description
3 9/23/2016 Added final ThinkServer fix.  
2 8/29/2016 Updated ThinkServer TS240 download site.
1 8/25/2016 Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

ThinkCentre

Product Minimum BIOS Version Required to Fix  Web Link
ThinkCentre E93 (SFF) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre E93 (TWR) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M6500t/s - China only FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M6600 FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M6600q FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M6600t/s FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M73p FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M800 FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M83 (SFF) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M83 (Tiny) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M83 (TWR) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M8500t/s - China only FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M8600t/s FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M900 FWKT31A http://support.lenovo.com/us/en/downloads/DS105487
ThinkCentre M93 FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M93P (SFF) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M93P (TWR) FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkCentre M93P Tiny FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753

<Back to Top>

ThinkServer

Click the provided link and then click  'Drivers & Software' to find the correct BIOS for your product.

Product  Minimum BIOS Version Required to Fix  Link to Update
ThinkServer RQ940  S4L_3A18 http://support.lenovo.com.cn/lenovo/wsi/Modules/DriverDownLoadServer.aspx 
ThinkServer RS140 FWKT93C http://support.lenovo.com/us/en/products/Servers/ThinkServer-rack-servers/ThinkServer-RS140?linkTrack=GPS%253ABody_Search%2BProducts&tabName=&beta=false
ThinkServer TS140 FBKTC8A http://support.lenovo.com/us/en/products/Servers/ThinkServer-tower-servers/ThinkServer-TS140?linkTrack=GPS%253ABody_Search%2BProducts&tabName=&beta=false
ThinkServer TS240  FBKTC8A http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=105006
ThinkServer TS440  FBKTC8A http://support.lenovo.com/us/en/products/Servers/ThinkServer-tower-servers/ThinkServer-TS440?linkTrack=GPS%253ABody_Search%2BProducts&tabName=&beta=false
ThinkServer TS540  FBKTC8A http://support.lenovo.com/us/en/products/Servers/ThinkServer-tower-servers/ThinkServer-TS440?linkTrack=GPS%253ABody_Search%2BProducts&tabName=&beta=false

<Back to Top>

ThinkStation

Product Minimum BIOS Version Required to Fix  Web Link
ThinkStation E32 FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkStation P300 FBKTC5A https://support.lenovo.com/us/en/olddownloads/ds035753
ThinkStation P310 FWKT31A http://support.lenovo.com/us/en/downloads/DS105487

<Back to Top>


Alias Id:LEN_7806
Document ID:PS500067
Original Publish Date:08/25/2016
Last Modified Date:01/23/2017