Intel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was used by rootkit researcher Joanna Rutkowska to bluepill the Xen hypervisor.
The vulnerability was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were withheld until Intel could release its patch.
That patch is now available (you can download a new firmware for your motherboard here) with a severity rating of "important."
According to Intel's advisory, software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode.
- A new BIOS update is available for select Intel desktop motherboards to ensure proper configuration settings. This change would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.
In a blog entry following Intel's patch release, Rutkowska warns that an attacker could also use this bug to "directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit."
- Also, in case of e.g. Linux systems, the Ring 0 access is not strictly required to perform the attack, as it's just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.
Affected Intel motherboards: DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).