Bug in UEFI leaving systems vulnerable to unwanted flashes

Security experts discovered that while most modern motherboards support firmware write protection to prevent unwanted BIOS flashes, a vulnerability in a lot of UEFI firmware implementations can accidentally disable this protection. The issue occurs when the system wakes from sleep and fails to turn write-protect back on.

Vulnerable systems may include those from Dell, Lenovo and Apple, as well as systems with motherboards with UEFI implementations from American Megatrends and Phoenix.

The security hole opens when an affected system goes to sleep and then wakes up. Many Intel-based x86 systems use a specific flag stored in a BIOS register that controls write protection. When the bit is turned on, the BIOS is write-protected—but that bit is turned off by default. Every time a PC resets, this register is also reset to the default state, and it's up to the BIOS to set it correctly. When a PC sleeps, the wake process is treated as a hardware reset, so the register resets in turn. Many BIOS implementations don't flip the write-protect bit again, so after a sleep-wake cycle, write protection is disabled.

CERT lists several vendors who may be affected, including Dell, Lenovo, and Apple, and also lists BIOS vendors like American Megatrends and Phoenix, whose BIOS implementations are found in many other systems. Apple and Dell have confirmed that at least some of their systems are affected. In response, Apple has released an EFI security update, and Dell has provided CERT with a list of affected systems. Dell customers should visit the company's support site to get their system's latest BIOS.

Full details The Tech Report