The chipmaker rates the error at 7.9 on a scale of up to 10 (CVSSv3). It allows local attackers to delete or damage parts of the firmware – and in extreme cases, execution of arbitrary program code.
Intel has reported a vulnerability in the SPI flash memory of many processor arrays, which offers a variety of attack options to the execution of any program code. The chip manufacturer rates this error with 7.9 on a scale of up to 10 (CVSSv3) and thus relatively high. The vulnerability identified as CVE-2017-5703 was noted internally – and a discovery by outsiders was not known.
SPI Flash is a component that is required for computer startup and serves as memory for the firmware. For the affected chips, the SPI Flash configuration allows “a local attacker to change the behavior of SPI Flash, potentially resulting in a denial of service.” According to Intel, the problem has no root cause and can be resolved with an already available fix.
For this reason, Intel recommends users check the support pages of their system vendors for current security updates. Apparently as the first manufacturer has since Lenovo reacted and started working on many of his computer models BIOS / UEFI updates with the fix provided by Intel earlier this month.
Lenovo also mentions further details about possible attacks that did not emerge from the chip manufacturer’s security warning. Thus, an attacker could exploit the vulnerability to prevent booting a system, changing its operation, or executing arbitrary code during the boot sequence of the system.
“The configuration of the system firmware component (SPI-Flash) could allow an attacker to block BIOS / UEFI updates or selectively erase or corrupt portions of the firmware,” it says. “That would probably lead to a detectable malfunction, but under rare circumstances could allow arbitrary code execution.”
Intel’s security warning carries a considerable number endangered processor types on. The bank affects its core processors from the fifth to the eighth generation. The list also refers to numerous chips from Intel’s product range, which came as Pentium, Celeron, Atom and Xeon in the sale.
It remains unclear, however, as with the Microcode updates for the CPU vulnerabilities Meltdown and Specter, as users come to the Intel-developed updates that it only makes available to its partners such as PC and motherboard manufacturers. However, some of them have signaled early on that they will only provide the updates for a few current products.