CVE-2021-3972 Overview
CVE-2021-3972 is a firmware vulnerability affecting numerous Lenovo consumer notebook devices. A driver used during the manufacturing process was mistakenly not deactivated in production BIOS, allowing an attacker with elevated privileges to modify secure boot settings by manipulating NVRAM variables. This vulnerability represents a significant risk to system integrity as it can undermine the hardware root of trust that Secure Boot is designed to provide.
Critical Impact
Attackers with administrative access can disable Secure Boot protections, potentially allowing unsigned or malicious bootloaders and operating system components to execute during system startup, bypassing firmware-level security controls.
Affected Products
- Lenovo IdeaPad 3 Series (14", 15", 17" models including ADA05, ADA6, ALC6, ARE05, IGL05, IIL05, IML05, ITL05, ITL6 variants)
- Lenovo Legion 5, Legion 5 Pro, Legion 7, Legion S7, Legion Y540, Legion Y545, Legion Y7000 Series
- Lenovo Yoga C740, Yoga C940, Yoga 7, Yoga Slim 7 Pro, Yoga Slim 9 Series
- Lenovo V14, V15, V17, V140, V340 Series
- Lenovo S145, S540, S14 G2 Series
- Lenovo L3, L340 Series
- Lenovo Slim 7 Pro, Slim 9 Series
- Lenovo IdeaPad 5, IdeaPad Creator 5, IdeaPad Gaming 3 Series
Discovery Timeline
- April 22, 2022 - CVE-2021-3972 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-3972
Vulnerability Analysis
This vulnerability stems from improper deactivation of a BIOS driver that was intended solely for manufacturing purposes. During device production, Lenovo includes specific UEFI drivers that allow factory technicians to configure and test hardware settings. One such driver provides privileged access to NVRAM variables that control Secure Boot configuration. In affected devices, this manufacturing driver remained active in the production firmware, creating an unintended attack surface.
The vulnerability requires local access and elevated privileges to exploit. An attacker who has gained administrative access to a vulnerable system can leverage this residual manufacturing driver to directly manipulate NVRAM variables that govern Secure Boot behavior. This manipulation can disable Secure Boot entirely or modify the trusted signature database, allowing execution of unsigned code at boot time.
Root Cause
The root cause is classified as CWE-489 (Active Debug Code) - the manufacturing driver containing sensitive functionality was not properly disabled before production release. This represents a failure in the secure development lifecycle where test/debug functionality intended for internal use was inadvertently shipped to end users. The driver retains its capability to write to protected NVRAM variables, bypassing the normal UEFI security restrictions that should prevent unauthorized modification of Secure Boot settings.
Attack Vector
An attacker exploiting CVE-2021-3972 would need to first obtain elevated privileges on the target system through other means such as credential theft, privilege escalation exploits, or social engineering. Once administrative access is achieved, the attacker can invoke the manufacturing driver's functionality to modify the Secure Boot NVRAM variable (SecureBoot), effectively disabling the security feature.
With Secure Boot disabled, subsequent attacks become possible including:
- Loading unsigned or malicious bootloaders
- Installing bootkits that persist below the operating system
- Bypassing BitLocker protections that rely on Secure Boot attestation
- Undermining the entire chain of trust from firmware to operating system
The attack requires local access and high privileges, limiting its exploitation to post-compromise scenarios. However, once exploited, it provides powerful persistence capabilities that survive operating system reinstallation.
Detection Methods for CVE-2021-3972
Indicators of Compromise
- Unexpected changes to UEFI Secure Boot configuration (Secure Boot disabled when it should be enabled)
- Presence of unauthorized or unsigned boot components in the EFI System Partition
- NVRAM variable modifications related to SecureBoot, SetupMode, or PK (Platform Key) variables
- Unusual BIOS/UEFI driver activity or calls to manufacturing service interfaces
Detection Strategies
- Monitor UEFI Secure Boot state changes using Windows Event Log (Event ID 1032 in Microsoft-Windows-SecureBootConfig)
- Implement firmware integrity monitoring solutions that detect unauthorized BIOS/UEFI modifications
- Use attestation mechanisms like TPM-based measured boot to detect boot component tampering
- Deploy endpoint detection solutions capable of monitoring pre-boot and firmware-level activity
Monitoring Recommendations
- Establish baseline Secure Boot configurations for all affected Lenovo devices and alert on deviations
- Enable TPM event logging and regularly audit PCR values for unexpected changes
- Configure SentinelOne agents to monitor for firmware-level threats and boot integrity violations
- Implement regular BIOS/UEFI firmware version auditing to ensure patched versions are deployed
How to Mitigate CVE-2021-3972
Immediate Actions Required
- Inventory all Lenovo notebook devices in your environment and identify those running vulnerable firmware versions
- Prioritize BIOS firmware updates for affected systems, especially those handling sensitive data
- Verify Secure Boot is currently enabled on all affected devices and document current state
- Restrict administrative access to affected systems until firmware updates can be applied
- Enable TPM-based protections where available to add defense-in-depth
Patch Information
Lenovo has released updated BIOS firmware to address this vulnerability. Administrators should consult the Lenovo Security Advisory LEN-73440 for specific firmware versions and download links for each affected model. The update removes or properly disables the manufacturing driver, preventing unauthorized NVRAM variable manipulation.
Firmware updates should be tested in a controlled environment before broad deployment. Organizations should follow their standard change management procedures when deploying BIOS updates at scale.
Workarounds
- Set a strong BIOS/UEFI administrator password to prevent unauthorized access to firmware settings
- Enable Secure Boot and verify it remains enabled during regular security audits
- Where possible, configure the system to boot only from trusted devices and disable boot from external media
- Consider implementing additional endpoint protection that monitors for firmware-level threats
- Deploy application whitelisting and code signing requirements at the operating system level as compensating controls
# Check Secure Boot status on Windows (PowerShell)
Confirm-SecureBootUEFI
# Verify current BIOS version on Lenovo devices
wmic bios get smbiosbiosversion
# Query UEFI Secure Boot variables (requires admin privileges)
Get-SecureBootPolicy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
