Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):
There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view.
A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.
Apply an update
Dell Computer Corporation, Inc. Affected
Lenovo Not Affected
AsusTek Computer Inc. Unknown
Hewlett-Packard Company Unknown
IBM Corporation Unknown
Insyde Software Corporation Unknown
Intel Corporation Unknown
Phoenix Technologies Ltd. Unknown
Sony Corporation Unknown
Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vila for disclosing the issue in Apple products.
This document was written by Joel Land.