Intel has recently disclosed a short advisory with details of high-severity for 3 CVEs here. They are CVE-2021-0157, CVE-2021-0158, and CVE-2021-0146. The first two are related to BIOS firmware-based vulnerabilities. Once the attacker accesses the BIOS firmware settings, they can exploit the weaknesses addressed in the CVEs to gain higher privileges. They based these exploits on the flaws in the Control Flow Management and improper input validation in the firmware settings. SentinelOne discovered the 2 CVEs and later reported them to Intel.
CVE-2021-0146 was discovered by Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy. At runtime, there is insufficient protection around test or debug modes present in several Intel Processor lines. These modes are privileged and need to be protected better. With physical access, an unauthenticated user will have access to get their hands on enhanced privileges on the system. For example, with the help of this vulnerability, the attacker can extract the Root encryption key used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy ID) in systems for illegal copying.
As of now, there is only this much information as Intel has released very little technical details or POC for these CVEs.
CVEs
CVE ID: CVE-2021-0157
Description: Insufficient control flow management in the BIOS firmware for some Intel(R) Processors may allow privileged users to escalate privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2021-0158
Description: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2021-0146
Description: Hardware allows activation of a test or debugs logic at runtime for some Intel(R) processors, which may allow an unauthenticated user to enable escalation of privilege via physical access.
CVSS Base Score: 7.1 High
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact
A malicious user could exploit these flaws to escalate privilege, extract encryption keys, and sensitive information from a vulnerable machine.
Affected Products
- CVE-2021-1057 & CVE-2021-1058
- Intel® Xeon® Processor E Family
- Intel® Xeon® Processor E3 v6 Family
- Intel® Xeon® Processor W Family
- 3rd Generation Intel® Xeon® Scalable Processors
- 11th Generation Intel® Core™ Processors
- 10th Generation Intel® Core™ Processors
- 7th Generation Intel® Core™ Processors
- Intel® Core™ X-series Processors
- Intel® Celeron® Processor N Series
- Intel® Pentium® Silver Processor Series
- CVE-2021-0146
- Desktop & Mobile
- Intel Pentium Processor J Series, N Series
- Intel Celeron Processor J Series, N Series
- Intel Atom Processor A Series
- Intel Atom Processor E3900 Series
- Intel Pentium Processor Silver Series/ J&N Series?
- Intel Pentium Processor Silver Series/ J&N Series? – Refresh
- Embedded Systems
- Intel Pentium Processor N Series
- Intel Celeron Processor N Series
- Intel Atom Processor E3900 Series
- Intel Atom Processor C3000
- Desktop & Mobile
These chips are widely used in mobile devices, IoT, embedded systems, home appliances, and other equipment.
Solution
Intel has released the security fixes for all the 3 CVEs including CVE-2021-0157. It is the responsibility of Mother Board vendors to push this BIOS update to their customers further. But the problem is that vendors won’t provide BIOS support or security patches in the long term. This results in a bug that will not be fixed anytime soon for the customers who need it.
So a workaround for CVE-2021-0157 and CVE-2021-0158 is to protect the access to BIOS settings with a strong password.
For CVE-2021-0146, on successful exploitation, the penetration can be detected using SIEM-class systems. These systems detect suspicious behavior and stop the attacker from advancing within the network.