Executive Summary

Summary
Title Intel BIOS locking mechanism contains race condition that enables write protection bypass
Informations
Name VU#766164 First vendor Publication 2015-01-05
Vendor VU-CERT Last vendor Modification 2015-02-05
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#766164

Intel BIOS locking mechanism contains race condition that enables write protection bypass

Original Release date: 05 Jan 2015 | Last revised: 05 Feb 2015

Overview

A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. Successful exploitation of this vulnerability may result in a bypass of this locking mechanism.

Description

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A race condition exists in Intel chipsets that rely solely on the BIOS_CNTL.BIOSWE and BIOS_CNTL.BLE bits as a BIOS write locking mechanism. According to Corey Kallenberg of The MITRE Corporation:

    "When the BIOS_CNTL.BIOSWE bit is set to 1, the BIOS is made writable. Also contained with the BIOS_CNTL register is the BIOS_CNTL.s("BIOS Lock Enable"). When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System Management Interrupt (SMI). It is the job of this SMI to determine whether or not it is permissible to write enable to the BIOS, and if not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being that the BIOS is not writable."

However, it has been shown that a race condition exists that can allow writes to the BIOS to occur between the moment that an attempt is made to set BIOS_CNTL.BIOSWE to 1 and the moment that it is set back to 0 by the SMI.

Impact

A local, authenticated attacker could write malicious code to the platform firmware. Additionally, if the "UEFI Variable" region of the SPI Flash relies on BIOS_CNTL.BIOSLE for write protection, as many implementations do, this vulnerability could be used to bypass UEFI Secure Boot. Lastly, the attacker could corrupt the platform firmware and cause the system to become inoperable.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Intel has provided the following mitigation guidance for vendors:

    "This vulnerability is caused by a misconfiguration of the platform by a platform-specific BIOS implementation. Intel has provided guidance to BIOS developers regarding write protection of the BIOS using System Management Mode (SMM) for many years. In preparation for the public disclosure of this issue, Intel has reiterated that guidance. This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue."

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
American Megatrends Incorporated (AMI)Affected12 Sep 201429 Dec 2014
Phoenix Technologies Ltd.Affected12 Sep 201417 Dec 2014
Apple Inc.Not Affected12 Sep 201416 Dec 2014
Dell Computer Corporation, Inc.Not Affected12 Sep 201421 Jan 2015
IBM CorporationNot Affected12 Sep 201416 Dec 2014
Insyde Software CorporationNot Affected12 Sep 201403 Feb 2015
Intel CorporationNot Affected12 Sep 201406 Jan 2015
AsusTek Computer Inc.Unknown12 Sep 201412 Sep 2014
GatewayUnknown12 Sep 201412 Sep 2014
Hewlett-Packard CompanyUnknown12 Sep 201412 Sep 2014
LenovoUnknown12 Sep 201412 Sep 2014
Sony CorporationUnknown12 Sep 201412 Sep 2014
ToshibaUnknown12 Sep 201412 Sep 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.0AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal5.1E:POC/RL:ND/RC:UR
Environmental5.3CDP:MH/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/362.html
  • http://www.intel.com/content/www/us/en/chipsets/6-chipset-c200-chipset-datasheet.html
  • http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/8-series-chipset-pch-datasheet.pdf

Credit

Thanks to Corey Kallenberg and Rafal Wojtczuk for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2014-8273
  • Date Public:28 Dec 2014
  • Date First Published:05 Jan 2015
  • Date Last Updated:05 Feb 2015
  • Document Revision:31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/766164

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2015-02-05 17:22:19
  • Multiple Updates
2015-02-03 17:21:42
  • Multiple Updates
2015-01-21 17:21:41
  • Multiple Updates
2015-01-07 17:22:47
  • Multiple Updates
2015-01-06 21:47:19
  • Multiple Updates
2015-01-05 17:22:20
  • First insertion