Executive Summary

Summary
Title Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM
Informations
Name VU#631788 First vendor Publication 2015-03-20
Vendor VU-CERT Last vendor Modification 2015-03-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#631788

Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM

Original Release date: 20 Mar 2015 | Last revised: 20 Mar 2015

Overview

Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM.

Description

Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM. According to Corey Kallenberg of LegbaCore:

    System Management Mode (SMM) is the most privileged execution mode on the x86 processor. Non-SMM code can neither read nor write SMRAM (SMM RAM). Hence, even a ring 0 level attacker should be unable to gain access to SMM.

    However, on modern systems, some SMM code calls or interprets function pointers located outside of SMRAM in an unsafe way. This provides opportunity for a ring 0 level attacker to break into SMM.

In order to exploit the vulnerability, an attacker must have access to physical memory. The attacker can gain code execution in the context of SMM by first manipulating a function pointer or function called by SMM and then writing bytes to System Management Interrupt (SMI) command port 0xb2 to trigger SMM.

Impact

A local, authenticated attacker may be able to execute arbitrary code in the context of SMM and bypass Secure Boot. In systems that do not use protected range registers, an attacker may be able to reflash firmware.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Intel has provided the following mitigation guidance for vendors:

    Starting in Haswell-based client and server platforms, the "SMM Code Access Check" feature is available in the CPU. If SMM code enables this in the appropriate MSR, then logical processors are prevented from executing SMM code outside the ranges defined by the SMRR. If SMI code jumps outside these ranges, the CPU will assert a machine check exception. During BIOS development, this can be an effective mechanism for BIOS developers to identify insecure call-outs from SMM, and during runtime, this feature can also be effective at blocking certain attacks that redirect SMM execution outside SMRAM.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Dell Computer Corporation, Inc.Affected10 Dec 201419 Mar 2015
Hewlett-Packard CompanyAffected10 Dec 201419 Mar 2015
IBM CorporationNot Affected10 Dec 201408 Jan 2015
Insyde Software CorporationNot Affected10 Dec 201402 Feb 2015
Intel CorporationNot Affected10 Dec 201402 Mar 2015
American Megatrends Incorporated (AMI)Unknown10 Dec 201410 Dec 2014
AppleUnknown10 Dec 201410 Dec 2014
AsusTek Computer Inc.Unknown10 Dec 201410 Dec 2014
GatewayUnknown10 Dec 201410 Dec 2014
LenovoUnknown10 Dec 201410 Dec 2014
Phoenix Technologies Ltd.Unknown10 Dec 201410 Dec 2014
Sony CorporationUnknown10 Dec 201410 Dec 2014
ToshibaUnknown10 Dec 201410 Dec 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.0AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal5.1E:POC/RL:U/RC:UR
Environmental5.3CDP:MH/TD:M/CR:ND/IR:H/AR:ND

References

  • http://en.wikipedia.org/wiki/System_Management_Mode

Credit

Thanks to Corey Kallenberg of LegbaCore for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-0949
  • Date Public:20 Mar 2015
  • Date First Published:20 Mar 2015
  • Date Last Updated:20 Mar 2015
  • Document Revision:21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/631788

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-269 Improper Privilege Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:47
  • Multiple Updates
2015-03-20 21:25:55
  • First insertion