search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Intel BIOS locking mechanism contains race condition that enables write protection bypass

Vulnerability Note VU#766164

Original Release Date: 2015-01-05 | Last Revised: 2015-07-23

Overview

A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. Successful exploitation of this vulnerability may result in a bypass of this locking mechanism.

Description

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. According to Corey Kallenberg of The MITRE Corporation:

"When the BIOS_CNTL.BIOSWE bit is set to 1, the BIOS is made writable. Also contained with the BIOS_CNTL register is the BIOS_CNTL.s("BIOS Lock Enable"). When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System Management Interrupt (SMI). It is the job of this SMI to determine whether or not it is permissible to write enable to the BIOS, and if not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being that the BIOS is not writable."

However, it has been shown that a race condition exists that can allow writes to the BIOS to occur between the moment that an attempt is made to set BIOS_CNTL.BIOSWE to 1 and the moment that it is set back to 0 by the SMI.

Impact

A local, authenticated attacker could write malicious code to the platform firmware. Additionally, if the "UEFI Variable" region of the SPI Flash relies on BIOS_CNTL.BIOSLE for write protection, as many implementations do, this vulnerability could be used to bypass UEFI Secure Boot. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Intel has provided the following mitigation guidance for vendors:

"This vulnerability is caused by a misconfiguration of the platform by a platform-specific BIOS implementation. Intel has provided guidance to BIOS developers regarding write protection of the BIOS using System Management Mode (SMM) for many years. In preparation for the public disclosure of this issue, Intel has reiterated that guidance. This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue."

Vendor Information

766164
Expand all

American Megatrends Incorporated (AMI)

Notified:  September 12, 2014 Updated:  December 29, 2014

Status

  Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production. End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  September 12, 2014 Updated:  July 23, 2015

Status

  Affected

Vendor Statement

Fixes are available for all affected products.  Lenovo’s security advisory may be found here:  https://support.lenovo.com/us/en/product_security/speed_racer.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.lenovo.com/us/en/product_security/speed_racer

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Phoenix Technologies Ltd.

Notified:  September 12, 2014 Updated:  December 17, 2014

Status

  Affected

Vendor Statement

We investigated this item and found some of our shipping products to be vulnerable. The vulnerability has been fixed, and we are working with OEMs to provide the updated source code. End users should contact the manufacturer directly for more information and instructions regarding the fix.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Inc.

Notified:  September 12, 2014 Updated:  December 16, 2014

Status

  Not Affected

Vendor Statement

For the issue reported, it does not affect Apple products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell Computer Corporation, Inc.

Notified:  September 12, 2014 Updated:  January 21, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  September 12, 2014 Updated:  December 16, 2014

Status

  Not Affected

Vendor Statement

Internally, we have assigned PSIRT Advisory 2172 to VU#766164.  Our development team analyzed the potential vulnerability, and the results of their analysis were that IBM is not exposed to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Insyde Software Corporation

Notified:  September 12, 2014 Updated:  February 03, 2015

Status

  Not Affected

Vendor Statement

"Insyde has reviewed the Insyde BIOS code and believes InsydeH2O-based systems are not vulnerable to this issue.

OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance.

End users are advised to contact the manufacturer of their equipment."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Corporation

Notified:  September 12, 2014 Updated:  January 06, 2015

Status

  Not Affected

Vendor Statement

This vulnerability is caused by a misconfiguration of the platform by a platform-specific BIOS implementation. Intel has provided guidance to BIOS developers regarding write protection of the BIOS using System Management Mode (SMM) for many years. In preparation for the public disclosure of this issue, Intel has reiterated that guidance. This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AsusTek Computer Inc.

Notified:  September 12, 2014 Updated:  September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gateway

Notified:  September 12, 2014 Updated:  September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  September 12, 2014 Updated:  September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 12, 2014 Updated:  September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Toshiba

Notified:  September 12, 2014 Updated:  September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.0 AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal 5.1 E:POC/RL:ND/RC:UR
Environmental 5.3 CDP:MH/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Corey Kallenberg and Rafal Wojtczuk for reporting this vulnerability. This issue was also independently co-discovered by John Butterworth and Sam Cornwell of the MITRE Corporation.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2014-8273
Date Public: 2014-12-28
Date First Published: 2015-01-05
Date Last Updated: 2015-07-23 16:39 UTC
Document Revision: 36

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.