Vulnerability Note VU#577140
BIOS implementations fail to properly set UEFI write protections after waking from sleep mode
Original Release date: 30 Jul 2015 | Last revised: 12 Aug 2015
Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):
There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware’s point of view.
Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.
A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vilaça’s blog disclosure.
A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.
Apply an update
Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedAmerican Megatrends Incorporated (AMI)Affected16 Jul 201512 Aug 2015
AppleAffected01 Jun 201530 Jul 2015
Dell Computer Corporation, Inc.Affected29 Jun 201530 Jul 2015
LenovoNot Affected16 Jul 201507 Aug 2015
AsusTek Computer Inc.Unknown16 Jul 201516 Jul 2015
Hewlett-Packard CompanyUnknown16 Jul 201516 Jul 2015
IBM CorporationUnknown16 Jul 201516 Jul 2015
Insyde Software CorporationUnknown16 Jul 201516 Jul 2015
Intel CorporationUnknown16 Jul 201516 Jul 2015
Phoenix Technologies Ltd.Unknown16 Jul 201516 Jul 2015
Sony CorporationUnknown16 Jul 201516 Jul 2015
Toshiba America Information Systems, Inc.Unknown16 Jul 201516 Jul 2015If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.
This document was written by Joel Land.
30 Jul 2015
Date First Published:
30 Jul 2015
Date Last Updated:
12 Aug 2015
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.