BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Overview

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.

Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

_There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware’s point of view.

Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.
_
A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vila๺’s blog disclosure.

---

Impact

A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.

---

Solution

Apply an update

Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.

---

Vendor Information

577140

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

American Megatrends Incorporated (AMI) __ Affected

Notified: July 16, 2015 Updated: August 12, 2015

Statement Date: August 12, 2015

Status

Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production.

End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple __ Affected

Notified: June 01, 2015 Updated: July 30, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://support.apple.com/en-us/HT204934&gt;

Addendum

CVE-2015-3692

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23577140 Feedback>).

Dell Computer Corporation, Inc. __ Affected

Notified: June 29, 2015 Updated: July 30, 2015

Statement Date: July 28, 2015

Status

Affected

Vendor Statement

Some older Client Solutions (CS) commercial platforms are affected by the vulnerability described in VU#577140. Updated BIOS code has been developed to mitigate the vulnerability by addressing the configuration error during resume. Applicable BIOS update patches and revisions to address this vulnerability are listed below:

**Dell System**	**BIOS Update**	**Availability**
Latitude E5420	A14	Available
Latitude E5520	A14	Available
Latitude E6220	A13	Available
Latitude E6320	A19	Available
Latitude E6420 / ATG	A21	Available
Latitude E6420 XFR	A21	Available
Latitude E6520	A19	Available
Latitude XT3	A13	Available
OptiPlex 390	A11	Available
OptiPlex 790	A18	Available
OptiPlex 990	A18	Available
Precision Mobile Workstation M4600	A16	Available
Precision Mobile Workstation M6600	A15	Available
Precision Workstation T1600	A16	Available
Precision Workstation T7600	A10	Available
Precision Workstation T5600	A12	Available
Precision Workstation T5600 XL	A12	Available
Precision Workstation T3600	A12	Available
Latitude E4310	A14	Available
Latitude E5410	A16	Available
Latitude E5510	A16	Available
Latitude E6410 / ATG	A16	Available
Latitude E6510	A16	Available
Precision Mobile Workstation M4500	A15	Available

Dell recommends customers update to the latest BIOS by downloading the patched releases from .

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.dell.com>

Addendum

CVE-2015-2890. Note that the researchers first notified Dell of this vulnerability on 8/15/2013.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23577140 Feedback>).

Lenovo Not Affected

Notified: July 16, 2015 Updated: August 07, 2015

Statement Date: August 05, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc. Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Insyde Software Corporation Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Phoenix Technologies Ltd. Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Toshiba America Information Systems, Inc. Unknown

Notified: July 16, 2015 Updated: July 16, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 12 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	7.2	CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

• <https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/&gt;
• <https://support.apple.com/en-us/HT204934&gt;
• <http://support.dell.com/&gt;

Acknowledgements

Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vila๺ for disclosing the issue in Apple products.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2015-2890, CVE-2015-3692
Date Public:	2015-07-30 Date First Published: