search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Vulnerability Note VU#577140

Original Release Date: 2015-07-30 | Last Revised: 2015-08-12

Overview

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.

Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view.

Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.

A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vila๺'s blog disclosure.

Impact

A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.

Solution

Apply an update

Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.

Vendor Information

577140
 
Affected   Unknown   Unaffected

American Megatrends Incorporated (AMI)

Notified:  July 16, 2015 Updated:  August 12, 2015

Statement Date:   August 12, 2015

Status

  Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production.

End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple

Notified:  June 01, 2015 Updated:  July 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

CVE-2015-3692

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell Computer Corporation, Inc.

Notified:  June 29, 2015 Updated:  July 30, 2015

Statement Date:   July 28, 2015

Status

  Affected

Vendor Statement

Some older Client Solutions (CS) commercial platforms are affected by the vulnerability described in VU#577140. Updated BIOS code has been developed to mitigate the vulnerability by addressing the configuration error during resume. Applicable BIOS update patches and revisions to address this vulnerability are listed below:

Dell SystemBIOS UpdateAvailability
Latitude E5420A14Available
Latitude E5520A14Available
Latitude E6220A13Available
Latitude E6320A19Available
Latitude E6420 / ATGA21Available
Latitude E6420 XFRA21Available
Latitude E6520A19Available
Latitude XT3A13Available
OptiPlex 390A11Available
OptiPlex 790A18Available
OptiPlex 990A18Available
Precision Mobile Workstation M4600A16Available
Precision Mobile Workstation M6600A15Available
Precision Workstation T1600A16Available
Precision Workstation T7600A10Available
Precision Workstation T5600A12Available
Precision Workstation T5600 XLA12Available
Precision Workstation T3600A12Available
Latitude E4310A14Available
Latitude E5410A16Available
Latitude E5510A16Available
Latitude E6410 / ATGA16Available
Latitude E6510A16Available
Precision Mobile Workstation M4500A15Available

Dell recommends customers update to the latest BIOS by downloading the patched releases from .

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

CVE-2015-2890. Note that the researchers first notified Dell of this vulnerability on 8/15/2013.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  July 16, 2015 Updated:  August 07, 2015

Statement Date:   August 05, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc.

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Hewlett-Packard Company

    Notified:  July 16, 2015 Updated:  July 16, 2015

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      IBM Corporation

      Notified:  July 16, 2015 Updated:  July 16, 2015

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Insyde Software Corporation

        Notified:  July 16, 2015 Updated:  July 16, 2015

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Intel Corporation

          Notified:  July 16, 2015 Updated:  July 16, 2015

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Phoenix Technologies Ltd.

            Notified:  July 16, 2015 Updated:  July 16, 2015

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Sony Corporation

              Notified:  July 16, 2015 Updated:  July 16, 2015

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Toshiba America Information Systems, Inc.

                Notified:  July 16, 2015 Updated:  July 16, 2015

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  View all 12 vendors View less vendors


                  CVSS Metrics

                  Group Score Vector
                  Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
                  Temporal 5.3 E:POC/RL:OF/RC:C
                  Environmental 7.2 CDP:MH/TD:H/CR:ND/IR:H/AR:ND

                  References

                  Acknowledgements

                  Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.

                  This document was written by Joel Land.

                  Other Information

                  CVE IDs: CVE-2015-2890, CVE-2015-3692
                  Date Public: 2015-07-30
                  Date First Published: 2015-07-30
                  Date Last Updated: 2015-08-12 17:55 UTC
                  Document Revision: 32

                  Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.