High Severity BIOS Flaws Affect Numerous Intel Processors

Intel has disclosed two high-severity vulnerabilities that affect a wide range of Intel processor families, allowing threat actors and malware to gain higher privilege levels on the device. BleepingComputer reports: The flaws were discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high). The former concerns the insufficient control flow management in the BIOS firmware for some Intel processors, while the latter relies on the improper input validation on the same component. These vulnerabilities could lead to escalation of privilege on the machine, but only if the attacker had physical access to vulnerable devices.

Intel hasn't shared many technical details around these two flaws, but they advise users to patch the vulnerabilities by applying the available BIOS updates. This is particularly problematic because motherboard vendors do not release BIOS updates often and don't support their products with security updates for long. Considering that 7th gen Intel Core processors came out five years ago, it's doubtful that MB vendors are still releasing security BIOS updates for them. As such, some users will be left with no practical way to fix the above flaws. In these cases, we would suggest that you set up a strong password for accessing the BIOS settings. Intel also released a separate advisory for a high-severity elevation of privilege flaw (CVE-2021-0146) that affects several car models that use the Intel Atom E3900. "Intel has released a firmware update to mitigate this flaw, and users will get it through patches supplied by the system manufacturer," the report says.

Blob fixed by a blob

[zoobab]

In a blob universe, a binary blob is fixed by another binary blob.

That would be fun to exploit this one, and reflash the BIOS from a compromised OS, which can reflash the BIOS chip with the flashrom tool.

Intel has not learned from the debacle they had years ago.

Normal they think their binary blobs are not the problem.

Re: Blob fixed by a blob

[Z00L00K]

At least the issue requires physical access by the attacker and that would make it harder to implement for an outside attacker.

If you want to execute it on your own machine it's just your problem, not the problem for anyone else.

Re:

[Aighearach]

Intel: "Just press update and hope you got the right one!"

We're living the future of Trusted Computing.

My desktop has AMD, of course. My laptop I guard physical access with physical security.

"No, check your email at the library. I don't care what time or day they're open!"

Re:

[dfghjk]

"My laptop I guard physical access with physical security."

Who doesn't? You deserve some real tech cred for this?

Re: Blob fixed by a blob

[oldnuskeet]

He seems to mean being a dick and not letting people who live with him check email for example.

Re:

[Aighearach]

People who live with me have their own laptop, and if they didn't they'd use their phone.

Re:

[dfghjk]

As this were some sort of insight. Considering that the a "blob" in this context is software for which you do not have source code, in the "you don't have source code" universe, software for which you do not have source code is fixed by other software for which you don't have source code. Duh.

Also, BIOS is not a "blob" nor is a BIOS update. A "blob" is a binary payload which software loads and executes.

"Intel has not learned from the debacle they had years ago."

Because they are unrelated problems that wou

physical access to the machine

[at10u8]

Last week I did Linux installs onto some new Intel boxes. The BIOS required that I repeatedly use the password to assert that "Yes, I really do want you to boot from the USB media." I already had physical access to the machine, and I could have used the jumpers to reset the BIOS password. I am not seeing why it is quite so important to protect the machine from someone who can disassemble its parts.

Re:

[gweihir]

It is security theater, i.e. trying to give a false impression that everything is well secured to not-so-smart users.

Re:physical access to the machine

[drkshadow]

TPM.

Boot to untrusted media in a trusted manner, read from TPM, decrypt disk.

If you don't allow boot-from-USB without a password but reset the password with jumpers, you break the TPM. No decrypt the disk for you.

Re:

[Aighearach]

I am not seeing why it is quite so important to protect the machine from someone who can disassemble its parts.

It's simple. Somebody told them that you have to compromise between ease of use and security. And they wanted it really secure. So they made it as inconvenient as possible. Done!

Re:

[tlhIngan]

Last week I did Linux installs onto some new Intel boxes. The BIOS required that I repeatedly use the password to assert that "Yes, I really do want you to boot from the USB media." I already had physical access to the machine, and I could have used the jumpers to reset the BIOS password. I am not seeing why it is quite so important to protect the machine from someone who can disassemble its parts.

It may not be simple. The BIOS may need the password to unlock the TPM so the disk encryption key is accessible

Re:

[jabuzz]

Er no I just last month had a machine that is 4 years old fail to boot on a power cut because the CMOS battery was dead and the boot settings where scrambled.

Re:

[Calinous]

The idea is that this kind of attack - _for now_ - is only workable with physical access.
However, this has penetrated one of the security circles that protect the computer.
As such, the security is weaker, and a different hole in another component (like, for example, a remote management module accessible via Ethernet or even WiFi) could allow an attacker to move all the way through.

The problem with this is:
Sometime in the past (2000? 2005?) more than 60% of successful attacks against IT were done by employee

Re:

[SteelCamel]

You could put a lock on the case to stop someone reaching the jumpers - or even lock the whole base unit in a secure enclosure. Plus if there's staff about they would most likely say something about someone dismantling a PC, while plugging in a USB stick and pressing keys are normal things to do while using a computer.

Re:

[thegarbz]

I already had physical access to the machine, and I could have used the jumpers to reset the BIOS password. I am not seeing why it is quite so important to protect the machine from someone who can disassemble its parts.

But can you disassemble its parts? Security is not on or off, it's not black or white. Walking past a keyboard is one thing. Being presented with a password prompt dramatically increases the time it takes for you to do something, and your ability to trigger people around you into questioning your motives.

You can walk passed an unsecured office PC and slip a USB stick in and do something without raising too much suspicion. Now try opening said PC right there at the desk. Not only does it take longer but your

Re:

[dfghjk]

Because the people they sell the computers to cannot disassemble the parts and they can't either.

Having worked in the PC manufacturing industry, I can assure you that very few people in management care about anything other than the checkboxes.

Me running around with a usb stick in a datacenter

[thesjaakspoiler]

trying to stop Skynet from ever launching....

Re:

[3seas]

maybe it'll help if you carry the USB in a Rubiks Cube (re: Snowden)

Re: Me running around with a usb stick in a datace

[Z00L00K]

I'd consider a stick with bleachbit in a facebook data center.

Re:Me running around with a usb stick in a datacen

[Bert64]

You can access the BIOS through a lights out (IPMI) controller too, which most modern servers have by default. It doesn't require physical access.

A lot of people deploy servers without realising the IPMI controller is present. They don't configure it, don't patch it, don't change the default passwords etc. Under certain circumstances it might be accessible but the operator of the server is unaware of it.

It's just not that hard to patch.

[jddj]

Just download the image and write it to a floppy, then boot from that.

Oh.

Re:

[sinij]

I just finished building X570 based PC. The technology moved on a lot since bad old day having to do what you describe, you can now access file system from within BIOS and/or mount new devices. Patching BIOS is not at all hard in 2021.

Re: It's just not that hard to patch.

[Z00L00K]

On some machines it's true, on other it's harder than the floppy when the bios update requires windows to be installed. And you run a vmware host os or linux.

Your mileage may vary.

Re: It's just not that hard to patch.

[jddj]

Since we have a few ancient mobos around that we limp along forever, I've had to do the floppy dance at least once since since COVID-19 started.

But I'm well aware a lot has changed. I'll have to start marking jokes with a hashtag...

Re: It's just not that hard to patch.

[Malays2 bowman]

TRACK 0 BAD - DISK UNUSEABLE

I hope you had a few freshly formated cloned floppies, just incase.

Re:

[sinij]

Well, I did also purge my stash of old cables and threw away all ribbon IDE cables, including floppy ones. I hope to never see that **** again, by modern standards usability was awful.

Re:

[Aighearach]

Newegg has USB floppy drives for under $20.

Re:

[Chaset]

The trick is getting good quality floppy disks. It seems all of the "good" manufacturers of the disks dropped out of the market ages ago. Some of the names on the labels may be the same, but they're all cheap junk cranked out at the lowest cost possible that maybe works once or twice before crapping out.

Re:

[Aighearach]

I guess you should spend more time hunting yard sales for vintage disks then!

Where is the BIOS?

[3seas]

reading the above summary I get the impression it's now in the intel processors.
if this is the case maybe they need to move it to the GPU and let the AI running on the GPU fix it. Isn't AI supposed to fix everything?

On a serious note, I have noticed an increase in tech fails over the years. and even the following (next) article on slashdot is about some DDR4 memory issue (haven't read it yet.)

Re:

[gweihir]

Some core components of the BIOS, like firmware and some drivers drivers comes from the CPU maker.

Re:

[account_deleted]

Comment removed based on user account deletion

Intel crap again

[gweihir]

The only Intel systems I have is two laptops from employers. I did throw out their substandard expensive crap in favor of AMD about a decade ago.

Some older motherboards may well fix this bug

[eric31415927]

I have a 7th gen chip plugging away in a FreeNAS box. The MB manufacturer (ASUS) has a beta BIOS upgrade to allow the MB to work nicely with Windows 11. I expect the final BIOS upgrade will incorporate a fix for this escalation. [In case you're interested - the MB is a B250 mining expert, which spent one year trying to mine before being repurposed.]

In these cases

[Aighearach]

Bleepers recommend to set a strong password.

I recommend to recycle the thing and buy AMD.

so glad I left

[smash]

AMD on the desktop, Apple Silicon on the laptop...

Re:

[Carewolf]

Apple silicon are the only CPUs proven to be just as buggy and insecure as Intel. If you want to avoid Intel for security concerns Apple is the last place you want to go.

Has anyone figured out...

[slashdot_commentator]

Why 7th, 10th, & 11th generation Intel CPUs are vulnerable, but not 8th & 9th gen Intel CPUs? (Those don't appear to be listed.)

These make great research systems.

[Goatbot]

I love finding systems such as this that allow you to perform side channel attacks. Systems similar to this have been extremely valuable in cracking many protection systems.