Tuesday, July 5, 2016

System Management Mode (SMM) BIOS Vulnerability

System Management Mode (SMM) BIOS Vulnerability

Lenovo Security Advisory: LEN-8324

Potential Impact: Execution of code in SMM by an attacker with local administrative access

Severity: High

Scope of Impact: Industry-wide

Lenovo’s Product Security Incident Response Team (PSIRT) is fully aware of the uncoordinated disclosure by an independent researcher of a BIOS vulnerability located in the System Management Mode (SMM) code that impacts certain Lenovo PC devices. Shortly after the researcher stated over social media that he would disclose a BIOS-level vulnerability in Lenovo products, Lenovo PSIRT made several unsuccessful attempts to collaborate with the researcher in advance of his publication of this information.

Since that time, Lenovo has actively undertaken its own investigation, which remains ongoing. At this point, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of our Independent BIOS Vendors (IBVs). Independent BIOS vendors (IBVs) are software development firms that specialize in developing the customized BIOS firmware that is loaded into the PCs of original equipment manufacturers, including Lenovo. Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs.

The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.

Lenovo is committed to the security of its products and is working with its IBVs and Intel to develop a fix that eliminates this vulnerability as rapidly as possible. Additional information regarding the fix will be posted as soon as it is available on the Product Security Advisory web site: https://support.lenovo.com/us/en/product_security/home



- wong chee tat :)









No comments: