CVE-2021-3972 Overview
CVE-2021-3972 is a firmware vulnerability affecting consumer Lenovo Notebook devices. A driver intended for use only during the manufacturing process was mistakenly left active in production BIOS images. The driver exposes functionality that allows an attacker with elevated local privileges to modify Secure Boot settings by writing to a specific Non-Volatile RAM (NVRAM) variable. Disabling Secure Boot enables loading of unsigned UEFI modules and bootkits, undermining the platform's chain of trust. The vulnerability is tracked under [CWE-489] (Active Debug Code) and affects over 100 Lenovo IdeaPad, Legion, Yoga, V-series, and S-series notebook models.
Critical Impact
An attacker with administrative privileges can disable Secure Boot at the firmware level, allowing persistent bootkit installation that survives operating system reinstallation.
Affected Products
- Lenovo IdeaPad 3, IdeaPad 5, IdeaPad Creator, and IdeaPad Gaming series notebooks
- Lenovo Legion 5, Legion 7, Legion S7, Legion Y540, Legion Y545, and Legion Y7000 series
- Lenovo Yoga, Yoga Slim, V-series, S-series, and L-series consumer notebooks
Discovery Timeline
- 2022-04-22 - CVE-2021-3972 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3972
Vulnerability Analysis
The vulnerability resides in a UEFI driver that Lenovo used during the manufacturing process to configure firmware settings on production lines. The driver was intended to be deactivated before devices shipped to customers but remained loaded and functional in released BIOS images. Once an attacker gains local administrative privileges on the host operating system, they can interact with the driver's exposed interface to write attacker-controlled values to Secure Boot configuration NVRAM variables.
By modifying these variables, the attacker disables Secure Boot enforcement. With Secure Boot disabled, the UEFI firmware will load unsigned or maliciously signed bootloaders and kernel drivers, providing a foothold below the operating system. This class of issue maps to [CWE-489] Active Debug Code, where development or manufacturing functionality is shipped in production binaries.
Root Cause
The root cause is a manufacturing-only UEFI driver that was not removed or disabled before BIOS images were signed and distributed. The driver registers handlers accessible from the operating system and performs privileged NVRAM writes without validating whether the system is still in a manufacturing state.
Attack Vector
Exploitation requires local access and high privileges on the target host. An attacker with administrator or SYSTEM-level access invokes the manufacturing driver from the operating system. The driver writes to NVRAM variables that control Secure Boot policy. After a reboot, Secure Boot is no longer enforced, enabling persistent firmware-level implants such as bootkits and rootkits that survive disk wiping and OS reinstallation.
Detection Methods for CVE-2021-3972
Indicators of Compromise
- Unexpected changes to Secure Boot state reported by the operating system or firmware management tools
- Presence of unsigned bootloaders or UEFI drivers in the EFI System Partition after a previously secured boot configuration
- BIOS or firmware version strings matching unpatched releases for the affected Lenovo notebook models
Detection Strategies
- Inventory affected Lenovo notebooks and compare installed BIOS versions against the fixed releases in Lenovo Security Advisory LEN-73440
- Use UEFI integrity tooling such as CHIPSEC to audit NVRAM variables related to Secure Boot policy and detect tampering
- Monitor for administrative processes that load or interact with unexpected kernel drivers capable of issuing UEFI variable writes
Monitoring Recommendations
- Collect firmware version and Secure Boot status telemetry from managed endpoints at regular intervals
- Alert on transitions of SecureBoot UEFI variables from enabled to disabled outside of approved maintenance windows
- Correlate privilege escalation events on Lenovo notebook fleets with subsequent reboot activity for forensic review
How to Mitigate CVE-2021-3972
Immediate Actions Required
- Apply the fixed BIOS update for each affected model as listed in Lenovo Security Advisory LEN-73440
- Verify Secure Boot is enabled after patching and set a BIOS administrator password to limit firmware configuration changes
- Restrict local administrative privileges on affected notebooks to reduce the population of users able to invoke the driver
Patch Information
Lenovo released BIOS updates addressing CVE-2021-3972 across all affected IdeaPad, Legion, Yoga, V-series, S-series, and L-series consumer notebook models. Refer to the model-specific firmware downloads referenced in Lenovo Security Advisory LEN-73440 for the exact fixed BIOS versions.
Workarounds
- Enforce least privilege so that standard users cannot obtain local administrator or SYSTEM access required to invoke the manufacturing driver
- Enable and monitor measured boot or remote attestation where supported to detect Secure Boot state changes
- Where patching is delayed, isolate affected notebooks from sensitive networks and require manual re-validation of Secure Boot status after reboots
# Verify Secure Boot status on Windows (run as administrator)
Confirm-SecureBootUEFI
# Verify Secure Boot status on Linux
mokutil --sb-state
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
