BIOS

Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory —a mandatory component used during the boot-up process [1, 2, 3].

According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware."

Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."

Intel deployed fixes for this vulnerability (CVE-2017-5703) on April 3. The chipset maker says the following CPU series utilize unsafe opcodes that allow local attackers to take advantage of this security bug:

8th generation Intel® Core™ Processors
7th generation Intel® Core™ Processors
6th generation Intel® Core™ Processors
5th generation Intel® Core™ Processors
Intel® Pentium® and Celeron® Processor N3520, N2920, and N28XX
Intel® Atom™ Processor x7-Z8XXX, x5-8XXX Processor Family
Intel® Pentium™ Processor J3710 and N37XX
Intel® Celeron™ Processor J3XXX
Intel® Atom™ x5-E8000 Processor
Intel® Pentium® Processor J4205 and N4200
Intel® Celeron® Processor J3455, J3355, N3350, and N3450
Intel® Atom™ Processor x7-E39XX Processor
Intel® Xeon® Scalable Processors
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Phi™ Processor x200
Intel® Xeon® Processor D Family
Intel® Atom™ Processor C Series

The bug has received a severity score of 7.9 out of 10 on the CVSSv3 scale. Intel said it discovered the issue internally.

"Issue is root-caused, and the mitigation is known and available," the company said in a security advisory. "To Intel’s knowledge, the issue has not been seen externally."

Intel has released updates that PC and motherboard vendors are expected to deploy as firmware patches or BIOS/UEFI updates.

Related Articles:

The Intel Microcode Boot Loader Protects Older CPUs From Spectre

New PortSmash Hyper-Threading CPU Vuln Can Steal Decryption Keys

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

WordPress Security Patch Addresses Privacy Leak Bug

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability