Executive Summary

Summary
Title Some UEFI systems do not properly secure the EFI S3 Resume Boot Path boot script
Informations
Name VU#976132 First vendor Publication 2015-01-05
Vendor VU-CERT Last vendor Modification 2015-02-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#976132

Some UEFI systems do not properly secure the EFI S3 Resume Boot Path boot script

Original Release date: 05 Jan 2015 | Last revised: 03 Feb 2015

Overview

Some UEFI systems fail to properly restrict access to the boot script used by the EFI S3 Resume Boot Path, allowing an authenticated, local attacker to bypass various firmware write protections.

Description

According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation:

    "During the UEFI S3 Resume path, a boot script is interpreted to re-initialize the platform. The boot script dictates various memory and port read/write operations to facilitate this re-initialization. The boot script is interpreted early enough where important platform security mechanisms have not yet been configured. For example, BIOS_CNTL, which helps protects the platform firmware against arbitrary writes, is unlocked. TSEGMB, which protects SMRAM against DMA, is also unlocked.

    Given this, the boot script is in a security critical position and maintaining its integrity is important. However, we have discovered that on certain systems the boot script resides in unprotected memory which can be tampered with by an attacker with access to physical memory."

Impact

An authenticated local attacker may be able to bypass Secure Boot and/or perform an arbitrary reflash of the platform firmware despite the presence of signed firmware update enforcement. Additionally, the attacker could arbitrarily read or write to the SMRAM region. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
American Megatrends Incorporated (AMI)Affected15 Sep 201410 Dec 2014
Dell Computer Corporation, Inc.Affected15 Sep 201422 Jan 2015
Insyde Software CorporationAffected-03 Feb 2015
Intel CorporationAffected15 Sep 201429 Dec 2014
LenovoAffected-21 Jan 2015
Phoenix Technologies Ltd.Affected06 Oct 201419 Dec 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.2AV:L/AC:H/Au:N/C:C/I:C/A:C
Temporal5.6E:POC/RL:ND/RC:C
Environmental5.6CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-boot-script-specification-v091.html
  • http://support.lenovo.com/us/en/product_security/s3_boot_protect

Credit

Thanks to Rafal Wojtczuk and Corey Kallenberg for reporting this vulnerability, as well as Intel Advanced Threat Research.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2014-8274
  • Date Public:28 Dec 2014
  • Date First Published:05 Jan 2015
  • Date Last Updated:03 Feb 2015
  • Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/976132

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2015-02-04 00:21:36
  • Multiple Updates
2015-01-22 17:21:42
  • Multiple Updates
2015-01-21 17:21:40
  • Multiple Updates
2015-01-13 13:23:47
  • Multiple Updates
2015-01-07 17:22:47
  • Multiple Updates
2015-01-07 00:22:16
  • Multiple Updates
2015-01-05 17:22:19
  • First insertion