Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):
There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view.
A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.
Apply an update
American Megatrends Incorporated (AMI)
Dell Computer Corporation, Inc.
AsusTek Computer Inc.
Insyde Software Corporation
Phoenix Technologies Ltd.
Toshiba America Information Systems, Inc.
Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.
This document was written by Joel Land.