Vulnerability Note VU#631788
BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM
Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM.
Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM. According to Corey Kallenberg of LegbaCore:
System Management Mode (SMM) is the most privileged execution mode on the x86 processor. Non-SMM code can neither read nor write SMRAM (SMM RAM). Hence, even a ring 0 level attacker should be unable to gain access to SMM.
A local, authenticated attacker may be able to execute arbitrary code in the context of SMM and bypass Secure Boot. In systems that do not use protected range registers, an attacker may be able to reflash firmware.
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Dell Computer Corporation, Inc.||Affected||10 Dec 2014||19 Mar 2015|
|Hewlett-Packard Company||Affected||10 Dec 2014||19 Mar 2015|
|Lenovo||Affected||10 Dec 2014||15 Oct 2015|
|American Megatrends Incorporated (AMI)||Not Affected||10 Dec 2014||10 Apr 2015|
|IBM Corporation||Not Affected||10 Dec 2014||08 Jan 2015|
|Insyde Software Corporation||Not Affected||10 Dec 2014||02 Feb 2015|
|Intel Corporation||Not Affected||10 Dec 2014||02 Mar 2015|
|Apple||Unknown||10 Dec 2014||10 Dec 2014|
|AsusTek Computer Inc.||Unknown||10 Dec 2014||10 Dec 2014|
|Gateway||Unknown||10 Dec 2014||10 Dec 2014|
|Phoenix Technologies Ltd.||Unknown||10 Dec 2014||10 Dec 2014|
|Sony Corporation||Unknown||10 Dec 2014||10 Dec 2014|
|Toshiba||Unknown||10 Dec 2014||10 Dec 2014|
CVSS Metrics (Learn More)
Thanks to Corey Kallenberg of LegbaCore for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-0949
- Date Public: 20 Mar 2015
- Date First Published: 20 Mar 2015
- Date Last Updated: 08 Jul 2015
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.