American Megatrends Incorporated (AMI)

Notified:  September 12, 2014 Updated: December 29, 2014

Status

  Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production. End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc.

Notified:  September 12, 2014 Updated: December 16, 2014

Status

  Not Affected

Vendor Statement

For the issue reported, it does not affect Apple products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc.

Notified:  September 12, 2014 Updated: September 12, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Dell Computer Corporation, Inc.

    Notified:  September 12, 2014 Updated: January 21, 2015

    Status

      Not Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Gateway

    Notified:  September 12, 2014 Updated: September 12, 2014

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Hewlett-Packard Company

      Notified:  September 12, 2014 Updated: September 12, 2014

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        IBM Corporation

        Notified:  September 12, 2014 Updated: December 16, 2014

        Status

          Not Affected

        Vendor Statement

        Internally, we have assigned PSIRT Advisory 2172 to VU#766164.  Our development team analyzed the potential vulnerability, and the results of their analysis were that IBM is not exposed to this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Insyde Software Corporation

        Notified:  September 12, 2014 Updated: February 03, 2015

        Status

          Not Affected

        Vendor Statement

        "Insyde has reviewed the Insyde BIOS code and believes InsydeH2O-based systems are not vulnerable to this issue. OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance. End users are advised to contact the manufacturer of their equipment."

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Intel Corporation

        Notified:  September 12, 2014 Updated: January 06, 2015

        Status

          Not Affected

        Vendor Statement

        This vulnerability is caused by a misconfiguration of the platform by a platform-specific BIOS implementation. Intel has provided guidance to BIOS developers regarding write protection of the BIOS using System Management Mode (SMM) for many years. In preparation for the public disclosure of this issue, Intel has reiterated that guidance. This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Lenovo

        Notified:  September 12, 2014 Updated: July 23, 2015

        Status

          Affected

        Vendor Statement

        Fixes are available for all affected products.  Lenovo’s security advisory may be found here:  https://support.lenovo.com/us/en/product_security/speed_racer.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Vendor References

        Phoenix Technologies Ltd.

        Notified:  September 12, 2014 Updated: December 17, 2014

        Status

          Affected

        Vendor Statement

        We investigated this item and found some of our shipping products to be vulnerable. The vulnerability has been fixed, and we are working with OEMs to provide the updated source code. End users should contact the manufacturer directly for more information and instructions regarding the fix.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Sony Corporation

        Notified:  September 12, 2014 Updated: September 12, 2014

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Toshiba

          Notified:  September 12, 2014 Updated: September 12, 2014

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            View all 13 vendors View less vendors