7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
0.0004 Low
EPSS
Percentile
0.4%
Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):
_There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardwareβs point of view.
Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.
_
A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN
bit remaining unset after waking from sleep. For more information, refer to Pedro VilaΰΉΊβs blog disclosure.
A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.
Apply an update
Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.
577140
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 16, 2015 Updated: August 12, 2015
Statement Date: August 12, 2015
Affected
AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production.
End users should contact their board manufacturer for information on when a specific updated BIOS will be available.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 01, 2015 Updated: July 30, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-3692
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23577140 Feedback>).
Notified: June 29, 2015 Updated: July 30, 2015
Statement Date: July 28, 2015
Affected
Some older Client Solutions (CS) commercial platforms are affected by the vulnerability described in VU#577140. Updated BIOS code has been developed to mitigate the vulnerability by addressing the configuration error during resume. Applicable BIOS update patches and revisions to address this vulnerability are listed below:
**Dell System** |
**BIOS Update** |
**Availability** |
---|---|---|
Latitude E5420 |
A14 |
Available |
Latitude E5520 |
A14 |
Available |
Latitude E6220 |
A13 |
Available |
Latitude E6320 |
A19 |
Available |
Latitude E6420 / ATG |
A21 |
Available |
Latitude E6420 XFR |
A21 |
Available |
Latitude E6520 |
A19 |
Available |
Latitude XT3 |
A13 |
Available |
OptiPlex 390 |
A11 |
Available |
OptiPlex 790 |
A18 |
Available |
OptiPlex 990 |
A18 |
Available |
Precision Mobile Workstation M4600 |
A16 |
Available |
Precision Mobile Workstation M6600 |
A15 |
Available |
Precision Workstation T1600 |
A16 |
Available |
Precision Workstation T7600 |
A10 |
Available |
Precision Workstation T5600 |
A12 |
Available |
Precision Workstation T5600 XL |
A12 |
Available |
Precision Workstation T3600 |
A12 |
Available |
Latitude E4310 |
A14 |
Available |
Latitude E5410 |
A16 |
Available |
Latitude E5510 |
A16 |
Available |
Latitude E6410 / ATG |
A16 |
Available |
Latitude E6510 |
A16 |
Available |
Precision Mobile Workstation M4500 |
A15 |
Available |
Dell recommends customers update to the latest BIOS by downloading the patched releases from .
We are not aware of further vendor information regarding this vulnerability.
CVE-2015-2890. Note that the researchers first notified Dell of this vulnerability on 8/15/2013.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23577140 Feedback>).
Notified: July 16, 2015 Updated: August 07, 2015
Statement Date: August 05, 2015
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
Notified: July 16, 2015 Updated: July 16, 2015
Unknown
We have not received a statement from the vendor.
View all 12 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C |
Temporal | 5.3 | E:POC/RL:OF/RC:C |
Environmental | 7.2 | CDP:MH/TD:H/CR:ND/IR:H/AR:ND |
Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro VilaΰΉΊ for disclosing the issue in Apple products.
This document was written by Joel Land.
CVE IDs: | CVE-2015-2890, CVE-2015-3692 |
---|---|
Date Public: | 2015-07-30 Date First Published: |
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
0.0004 Low
EPSS
Percentile
0.4%