search menu icon-carat-right cmu-wordmark

CERT Coordination Center


BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Vulnerability Note VU#577140

Original Release Date: 2015-07-30 | Last Revised: 2015-08-12

Overview

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.

Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view.

Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.

A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vila๺'s blog disclosure.

Impact

A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.

Solution

Apply an update

Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.

Vendor Information

577140
Expand all

American Megatrends Incorporated (AMI)

Notified:  July 16, 2015 Updated:  August 12, 2015

Statement Date:   August 12, 2015

Status

  Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production.

End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  June 01, 2015 Updated:  July 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.apple.com/en-us/HT204934

Addendum

CVE-2015-3692

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell Computer Corporation, Inc.

Notified:  June 29, 2015 Updated:  July 30, 2015

Statement Date:   July 28, 2015

Status

  Affected

Vendor Statement

Some older Client Solutions (CS) commercial platforms are affected by the vulnerability described in VU#577140. Updated BIOS code has been developed to mitigate the vulnerability by addressing the configuration error during resume. Applicable BIOS update patches and revisions to address this vulnerability are listed below:

Dell SystemBIOS UpdateAvailability
Latitude E5420A14Available
Latitude E5520A14Available
Latitude E6220A13Available
Latitude E6320A19Available
Latitude E6420 / ATGA21Available
Latitude E6420 XFRA21Available
Latitude E6520A19Available
Latitude XT3A13Available
OptiPlex 390A11Available
OptiPlex 790A18Available
OptiPlex 990A18Available
Precision Mobile Workstation M4600A16Available
Precision Mobile Workstation M6600A15Available
Precision Workstation T1600A16Available
Precision Workstation T7600A10Available
Precision Workstation T5600A12Available
Precision Workstation T5600 XLA12Available
Precision Workstation T3600A12Available
Latitude E4310A14Available
Latitude E5410A16Available
Latitude E5510A16Available
Latitude E6410 / ATGA16Available
Latitude E6510A16Available
Precision Mobile Workstation M4500A15Available

Dell recommends customers update to the latest BIOS by downloading the patched releases from

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.dell.com

Addendum

CVE-2015-2890. Note that the researchers first notified Dell of this vulnerability on 8/15/2013.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  July 16, 2015 Updated:  August 07, 2015

Statement Date:   August 05, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AsusTek Computer Inc.

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Insyde Software Corporation

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Corporation

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Phoenix Technologies Ltd.

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Toshiba America Information Systems, Inc.

Notified:  July 16, 2015 Updated:  July 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 7.2 CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

Credit

Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2890, CVE-2015-3692
Date Public: 2015-07-30
Date First Published: 2015-07-30
Date Last Updated: 2015-08-12 17:55 UTC
Document Revision: 32

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.