Vulnerability Note VU#976132
UEFI implementations do not properly secure the EFI S3 Resume Boot Path boot script
Some UEFI systems fail to properly restrict access to the boot script used by the EFI S3 Resume Boot Path, allowing an authenticated, local attacker to bypass various firmware write protections.
According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation:
"During the UEFI S3 Resume path, a boot script is interpreted to re-initialize the platform. The boot script dictates various memory and port read/write operations to facilitate this re-initialization. The boot script is interpreted early enough where important platform security mechanisms have not yet been configured. For example, BIOS_CNTL, which helps protects the platform firmware against arbitrary writes, is unlocked. TSEGMB, which protects SMRAM against DMA, is also unlocked.
An authenticated local attacker may be able to bypass Secure Boot and/or perform an arbitrary reflash of the platform firmware despite the presence of signed firmware update enforcement. Additionally, the attacker could arbitrarily read or write to the SMRAM region. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable.
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|American Megatrends Incorporated (AMI)||Affected||15 Sep 2014||10 Dec 2014|
|Apple||Affected||23 Jul 2015||30 Jul 2015|
|Dell Computer Corporation, Inc.||Affected||15 Sep 2014||03 Aug 2015|
|Insyde Software Corporation||Affected||-||03 Feb 2015|
|Intel Corporation||Affected||15 Sep 2014||20 Jul 2015|
|Lenovo||Affected||-||21 Jan 2015|
|Phoenix Technologies Ltd.||Affected||06 Oct 2014||19 Dec 2014|
CVSS Metrics (Learn More)
Thanks to Rafal Wojtczuk and Corey Kallenberg for reporting this vulnerability, as well as Intel Advanced Threat Research.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-8274
- Date Public: 28 Dec 2014
- Date First Published: 05 Jan 2015
- Date Last Updated: 03 Aug 2015
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.