BIOS

Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory —a mandatory component used during the boot-up process [1, 2, 3].

According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware."

Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."

Intel deployed fixes for this vulnerability (CVE-2017-5703) on April 3. The chipset maker says the following CPU series utilize unsafe opcodes that allow local attackers to take advantage of this security bug:

8th generation Intel® Core™ Processors
7th generation Intel® Core™ Processors
6th generation Intel® Core™ Processors
5th generation Intel® Core™ Processors
Intel® Pentium® and Celeron® Processor N3520, N2920, and N28XX
Intel® Atom™ Processor x7-Z8XXX, x5-8XXX Processor Family
Intel® Pentium™ Processor J3710 and N37XX
Intel® Celeron™ Processor J3XXX
Intel® Atom™ x5-E8000 Processor
Intel® Pentium® Processor J4205 and N4200
Intel® Celeron® Processor J3455, J3355, N3350, and N3450
Intel® Atom™ Processor x7-E39XX Processor
Intel® Xeon® Scalable Processors
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Phi™ Processor x200
Intel® Xeon® Processor D Family
Intel® Atom™ Processor C Series

The bug has received a severity score of 7.9 out of 10 on the CVSSv3 scale. Intel said it discovered the issue internally.

"Issue is root-caused, and the mitigation is known and available," the company said in a security advisory. "To Intel’s knowledge, the issue has not been seen externally."

Intel has released updates that PC and motherboard vendors are expected to deploy as firmware patches or BIOS/UEFI updates.

Related Articles:

Microsoft Partners with Intel to Deliver CPU Microcode Fixes via Windows Updates

Intel to Allow Antivirus Engines to Use Integrated GPUs for Malware Scanning

Intel Tells Users to Uninstall Remote Keyboard App Over Unpatched Security Bugs

Here We Go Again: Intel Releases Updated Spectre Patches

Apple May Ditch Intel And Start Using Their Own Chips