Intel SPI flash flaw could enable hackers to delete computer bios

News by Rene Millman

Vulnerability could leave users with bricked systems. Intel has fixed a flaw that could prevent a system from booting, to cause it to operate in an unusual way, or execute arbitrary code during the system boot sequence.

Intel has fixed a flaw that could prevent a system from booting, to cause it to operate in an unusual way, or execute arbitrary code during the system boot sequence. 

The problem, according to an advisory published by Intel,  allows a local attacker to alter the behaviour of the SPI Flash, potentially leading to a denial of service.

According to Lenovo, ”the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware."

It added that "this would most likely result in a visible malfunction but could in rare circumstances result in arbitrary code execution." Lenovo has recently rolled out a fix in the last few days for a large number of products in its range of computers.

Intel published fixes for the flaw (CVE-2017-5703), earlier this month. The bug affects the platforms of several Intel processors, including fifth to eighth generation Intel Core processors, Pentium, Celeron, Atom, and Xeon chips. The flaw as a severity score of 7.9 out of 10 on the CVSSv3 scale.

"Issue is root-caused, and the mitigation is known and available," Intel said in an advisory "To Intel's knowledge, the issue has not been seen externally."

Paul Ducklin, senior technologist at Sophos, told SC Media UK that the bad news with this bug is that the solution is a bit like fixing holes in Android - the owner of the technology has identified the problem and knows how to patch it, but the actual repair for each device depends on a combination of follow-up activity by the device manufacturer, the supplier, and perhaps others. 

“In other words, you can't just head to Intel and download a one-size-fits-all fix, any more than you can patch the latest Android bug by downloading the open source parts of Google's Android,” he said. “The good news is that Intel itself found and researched the problem, and there is no evidence that any crooks have yet figured it out. So watch for updates from your device vendor or supplier and apply any patches as soon as you can.”

At present, no attacks have been seen, but users have been advised to check the websites of their hardware manufacturers for new security updates and to install any patches quickly.

Luke Somerville, head of Special Investigations at Forcepoint, told SC Media UK that  it's important to note that this particular vulnerability – CVE-2017-5703 – is a denial of service vulnerability. “These are naturally of great concern to businesses and governments which operate any number of critical systems, but the utility of this sort of exploit within a broader scope is likely limited. While malware which is destructive for the sake of it does exist, most non-targeted malware is going to be looking to steal or ransom data on the system as opposed to simply render the system inoperable,” he said.

The new flaw comes weeks after the Spectre and Meltdown bugs affecting Intel chips, although these appear to be a separate issue. Earlier this year, SC Media UK reported that an issue with Intel AMT enabled hackers to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews