Vulnerability Note VU#766164
Intel BIOS locking mechanism contains race condition that enables write protection bypass
A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. Successful exploitation of this vulnerability may result in a bypass of this locking mechanism.
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. According to Corey Kallenberg of The MITRE Corporation:
However, it has been shown that a race condition exists that can allow writes to the BIOS to occur between the moment that an attempt is made to set BIOS_CNTL.BIOSWE to 1 and the moment that it is set back to 0 by the SMI.
A local, authenticated attacker could write malicious code to the platform firmware. Additionally, if the "UEFI Variable" region of the SPI Flash relies on BIOS_CNTL.BIOSLE for write protection, as many implementations do, this vulnerability could be used to bypass UEFI Secure Boot. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable.
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|American Megatrends Incorporated (AMI)||Affected||12 Sep 2014||29 Dec 2014|
|Lenovo||Affected||12 Sep 2014||23 Jul 2015|
|Phoenix Technologies Ltd.||Affected||12 Sep 2014||17 Dec 2014|
|Apple Inc.||Not Affected||12 Sep 2014||16 Dec 2014|
|Dell Computer Corporation, Inc.||Not Affected||12 Sep 2014||21 Jan 2015|
|IBM Corporation||Not Affected||12 Sep 2014||16 Dec 2014|
|Insyde Software Corporation||Not Affected||12 Sep 2014||03 Feb 2015|
|Intel Corporation||Not Affected||12 Sep 2014||06 Jan 2015|
|AsusTek Computer Inc.||Unknown||12 Sep 2014||12 Sep 2014|
|Gateway||Unknown||12 Sep 2014||12 Sep 2014|
|Hewlett-Packard Company||Unknown||12 Sep 2014||12 Sep 2014|
|Sony Corporation||Unknown||12 Sep 2014||12 Sep 2014|
|Toshiba||Unknown||12 Sep 2014||12 Sep 2014|
CVSS Metrics (Learn More)
Thanks to Corey Kallenberg and Rafal Wojtczuk for reporting this vulnerability. This issue was also independently co-discovered by John Butterworth and Sam Cornwell of the MITRE Corporation.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-8273
- Date Public: 28 Dec 2014
- Date First Published: 05 Jan 2015
- Date Last Updated: 23 Jul 2015
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.