Vulnerability Note VU#577140
BIOS implementations fail to properly set UEFI write protections after waking from sleep mode
Overview
Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
Description
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890): There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view. |
Impact
A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image. |
Solution
Apply an update |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| American Megatrends Incorporated (AMI) | Affected | 16 Jul 2015 | 12 Aug 2015 |
| Apple | Affected | 01 Jun 2015 | 30 Jul 2015 |
| Dell Computer Corporation, Inc. | Affected | 29 Jun 2015 | 30 Jul 2015 |
| Lenovo | Not Affected | 16 Jul 2015 | 07 Aug 2015 |
| AsusTek Computer Inc. | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Hewlett-Packard Company | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| IBM Corporation | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Insyde Software Corporation | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Intel Corporation | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Phoenix Technologies Ltd. | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Sony Corporation | Unknown | 16 Jul 2015 | 16 Jul 2015 |
| Toshiba America Information Systems, Inc. | Unknown | 16 Jul 2015 | 16 Jul 2015 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
| Temporal | 5.3 | E:POC/RL:OF/RC:C |
| Environmental | 7.2 | CDP:MH/TD:H/CR:ND/IR:H/AR:ND |
References
- https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
- https://support.apple.com/en-us/HT204934
- http://support.dell.com/
Credit
Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.
This document was written by Joel Land.
Other Information
- CVE IDs: CVE-2015-2890 CVE-2015-3692
- Date Public: 30 Jul 2015
- Date First Published: 30 Jul 2015
- Date Last Updated: 12 Aug 2015
- Document Revision: 32
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.