Lenovo: AMI BIOS SMM vulnerability

Lenovo Security Advisory: LEN-4710
Potential Impact:  Execution of code in SMM by an attacker with administrative access
Severity: Medium
Scope of impact: Industry-wide

Summary Description: System Management Mode (SMM) is the most privileged execution mode of the x86 processor. Software System Management Interrupt (SWSMI) handlers are used by software to call on BIOS functions that reside within the SMM. A vulnerability has been identified in one of the SWSMI handlers in the BIOS code from American Megatrends Inc. (AMI) used on some Lenovo systems. This could allow a malicious attacker with administrative access to execute code in the SMM and bypass some BIOS security mechanisms and install software with bootkit functionality. Mitigation Strategy for Customers (what you should do to protect yourself): Update your BIOS level to the latest version by following the instructions in the readme file. This issue only affects Lenovo products with BIOS firmware from AMI. Brands not listed, such as ThinkPad, do not use AMI firmware and are not affected by this vulnerability. Lenovo thanks Bruno Pujos of Sogeti ESEC R&D for reporting this issue.[…]

More info:




AMI announces UEFI 2.6 and ACPI 6.1 support

AMI announced that their UEFI implementation, Aptio V, supports UEFI 2.6 and ACPI 6.1

American Megatrends Announces Aptio V Compliance with UEFI 2.6 and ACPI v6.1

AMI is proud to announce Aptio® V support and compliance for UEFI 2.6 and ACPI v6.1 specifications. As a leader in the BIOS/UEFI firmware industry and board member in the UEFI community, AMI keeps up with the latest upgrades and specifications to better serve its customers in the technology industry. Aptio® V, AMI’s flagship UEFI firmware, is developed according to UEFI specifications and the added support for UEFI 2.6 and ACPI v6.1 gives manufacturers the ability to enhance select platforms based on the latest UEFI specifications. The newest specifications, announced this past March, keeps up with the increasing expectations of the market, providing OEMs and ODMs greater manageability across various user systems and creating more expansive support for newer platforms and designs. By integrating and expanding support for UEFI 2.6 and ACPI v6.1 on its core UEFI firmware, Aptio V, AMI standardizes operating systems booting and optimizes pre-boot applications for its customers.

Full PR:




AMI providing Redfish-enabled firmware for Intel and Aspeed models

AMI is now offering firmware for both BIOS and BMC on Intel customer reference boards (CRB) for the Intel Xeon® processor D-1500 product family and the 4th generation baseboard management controller (BMC) from Aspeed, the Aspeed AST2300 BMC. AMI has developed generic Redfish BIOS and BMC firmware support and has tested on the next generation AMD silicon. AMI’s BIOS and BMC firmware are highly integrated, allowing data center administrators to simultaneously, remotely and securely manage a number of server platforms out-of-box. Other features include BIOS-level firmware configuration and firmware updating. BMC functionality is based on the open industry standard specification and schema from DMTF’s Redfish™ API with the goal of creating seamless integration into existing tool chains.



Dmytro takes on the Intel NUC

Dmytro Oleksiuk has a new blog post with UEFI security issues with an Intel NUC using AMI Aptio UEFI BIOS.

(Sad to see that Intel appears to not appear to run CHIPSEC as part of release management QA their own NUCs.)

Exploiting AMI Aptio firmware on example of Intel NUC
[…] Today I’m sharing with you the story of my next x86 machine hacking — we’re going to talk about UEFI vulnerabilities, exploit mitigation features of System Management Mode and new exploit called Aptiocalypsis. Also, this time I did responsible disclosure to Intel and AMI, so, at the moment of this publication you already can patch some of vulnerable products.

Lots of interesting things happened since release of ThinkPwn exploit. Firstly I supposed that vulnerable code was written by Lenovo or its Independent BIOS Vendor (IBV), but later it turned out that they’ve taken this totally mad driver from Intel reference code. This exact code is not available in public, but open source firmware of some Intel boards has it too. For example, SmmRuntimeManagementCallback() function from Intel Quark BSP it’s exactly the same vulnerable code that I’ve found in firmware of my T450s. It’s also interesting that vulnerable code is quite old (it comes from EFI 1.x era) but nevertheless, it was never present in EDK2 source from public repository — its version of QuarkSocPkg was heavily modified in comparison with vulnerable one. The horrible and vulnerable by design piece of code was removed by Intel somewhere in the middle of 2014, but it seems that there were no security advisories regarding this issue. Due to this IBVs had no chance to fix this vulnerability in their relatively old code base and the bug appeared in modern computers from Lenovo, Intel, GIGABYTE, Dell, HP, Fujitsu and other OEM’s (oops!).

Well, I guess at this point it’s much or less clear that currently there’s nothing to do with ThinkPad anymore, it was pwned with 0day, it has too awkward code base that follows ancient version of EFI specification and 8 series chipset that is not the freshest stuff you can get. As my next target for firmware security adventures I’ve decided to take some Skylake based machine of well-known vendor who might have a decent firmware that would be interesting to break. Because I like all kinds of small x86 compatible computers, I’ve put my eye on the latest generation of Intel NUC. It also looks interesting because platform vendor knows his hardware better than anyone else, so, from firmware security perspective, Intel NUC is definitely not the worst choice.[…]





New tool: ami_smi_dump.py:
Extract SW SMI handlers information from SMRAM dump of Skylake based AMI Aptio V firmware.

Hmm, WordPress renders Github gist pages to be unviewable. Remove the SPACE character after the TLD in the below URL to make it work. Or click on the links in the Twitter links.

https://gist.github.com  /Cr4sh/db43cc6687e737d982d3d1c56472c6b9