Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware

Catalin Cimpanu, writing for BleepingComputer: Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory -- a mandatory component used during the boot-up process [1, 2, 3]. According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware." Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."

Not another..

[fluffernutter]

Not another industry-wide patching, I hope. I can't take another industry-wide patching.

Re:Not another..

[gweihir]

Industry-wide patching it is. And now that security researchers are finally looking at hardware again, expect more of these. For one thing is sure: Intel has been doing an exceptionally bad job the last decade or so, possibly because they believed to have won the game.

Re: Not another..

[bill_mcgonigle]

Don't worry, most of the industry won't bother with patching...

Hey, why am I getting 3 popups blocked on this page?

Where?

Wait, where's the slick marketing name for the vulnerability? Where's the logo? The website?

Re:Where?

SPI vs Spy, obviously. Logo also becomes obvious.

Re:Where?

[Highdude702]

Had I not commented already +1 Insightful O.o

Re:Headline is misleading

It doesn't affect BIOS, just UEFI.

It affects the SPI flash which could be used against either BIOS or UEFI

Applied the Fix

[DaMattster]

It is always hairy when you apply a firmware fix but I am pleased to say that Lenovo's update for the ThinkCentre M70 works just fine. Although, it took a while to apply and power cycled 3 times. At one point I almost said, "Fuck! It bricked."

Re:Applied the Fix

It is always hairy when you apply a firmware fix but I am pleased to say that Lenovo's update for the ThinkCentre M70 works just fine. Although, it took a while to apply and power cycled 3 times. At one point I almost said, "Fuck! It bricked."

Replying as AC but the issue here is actually that the default configuration provided as a reference was insecure. There was no actual flaw, just insecure defaults.

Please bring back BIOS update jumpers

I am tired of having to rely on software security measures that will inevitably not work. Give me a fucking switch to turn off write access in hardware. The IT industry sucks.

Re: Please bring back BIOS update jumpers

[bill_mcgonigle]

Did you know that the audio chips don't really care which is a microphone and which is the speaker, and that either can be reprogrammed to the either? You don't need to bother unplugging your microphone if you're leaving your speakers plugged in. It's all software these days.

Re: Please bring back BIOS update jumpers

Speakers attached to an external amplifier can't be abused as microphones.

dammit...

foiled again.

-some agency

They can't.

They literally (intentionally?) broke the SPI write-lock switch back in the 8 MBit days and instead made it 'write-lock *ONLY IF* hardware sense pin+post-power on software enable are both set.' What does that mean in layman's terms? Glitching power can cause the SPI flash to believe it has been power cycled. Since the write protect requires software intervention to enable and since said write protect function is only normally run at boot time, said glitching can unlock the bios write protect post-boot, allowing arbitrary reflashing after boot. Intel's kludge to fix this was adding write protection into the southbridge/firmware controller hub that blocks read/write access to memory ranges after boot without a properly signed image, only not all their hardware does it properly and there are other ways to get around it (external reflashing on some boards before they started requiring all the signed blobs for everything.) Now, rather than a simple 1 pin to write disable the whole chip, you have 2-3 different possible ways your bios memory range is write protected, none of which may keep hackers or governments from injecting unwanted changes into your SPI flash/bios images for purposes most of us would rather not thing about.

The only solutions to this problem are new hardware or 'shim hardware' that sits between the spi flash chip and the motherboard and relays commands between them, filtering write and erase calls for the specific SPI chip in the system (since for some stupid reason this stuff isn't fully standardized and while most chips can be read with generic commands, write and erase is sometimes non-standard even among the same product designation, but different generations/iterations of part!) Truly a step back from the parallel/lpc flash days.

In other words

[eclectro]

We can now jailbreak the laptop, and install our own open-souce, secure boot rom!

Let's get busy!

Re:In other words

[MrL0G1C]

Yeah it's another one of those terrible flaws that allows you to own your own computer.

So,

we can use this flaw to patch out Intel ME?

Re:So,

[fatblunt]

That's what I was wondering. Is this the same as using Intel's Flash Programming Tool to flash a me_cleaner version of a BIOS without Intel ME?

Found out the hard way by Ubuntu last year

[zdzichu]

The problem was uncovered by Ubuntu last year: https://linux.slashdot.org/sto...
It was so grave they had to pull down released version and patch the workaround.

What about linux users ?

[Kopp]

Is that another flaw that's only patched through their windows updater ?