[25360] in bugtraq
Re: Intel D845HV/WN/PT series motherboard vulnerability
daemon@ATHENA.MIT.EDU (Dave Oliver)
Fri May 3 15:52:20 2002
Date: 3 May 2002 13:22:37 -0000
Message-ID: <20020503132237.5953.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Dave Oliver <bugtraq@daveo.co.uk>
To: bugtraq@securityfocus.com
In-Reply-To: <20020425131055.15795.qmail@mail.securityfocus.com>
Intel have now released a new BIOS for each of the affected
boards.
Please go to the appropriate URL to download the update:
http://developer.intel.com/design/motherbd/hv/hv_bios.htm
http://developer.intel.com/design/motherbd/bg/bg_bios.htm
http://developer.intel.com/design/motherbd/wn/wn_bios.htm
http://developer.intel.com/design/motherbd/pt/pt_bios.htm
On each of the pages, you will find release notes that
explain the fix implemented.
---Original message---
>Subject: Intel D845HV/WN/PT series motherboard
vulnerability
>
>Affected systems:
>
>Intel D845HV / WN (tested on BIOS revisions P05-0022,
>P09-0035, P10-0038)
>and D845PT (tested on BIOS P01-0012) Pentium 4 motherboards
>
>Problem:
>
>If the user hits the F8 key during the POST they are
>presented with a "Please select boot device" dialog,
>enabling them to boot off of any bootable device in the PC
>(FDD, HDD, CDROM, Network, etc).
>
>This dialog is obtainable regardless of whether a
Supervisor
>password has been set in the BIOS, and the "User Access
>Level" does not affect the user's ability to boot from an
>alternate device.
>
>This is obviously a concern to any administrator who
doesn't
>want users to be able to boot from an alternate device, as
>this could enable different software / OS to be installed,
>it enables boot sector viral infection, and can also give
>the user better access to the PC's file system.
>
>Workaround: (Untested by author on D845PT, tested and
>working on HV / WN)
>
>To stop the user from being able to boot off of alternate
>devices, follow this procedure:
>
>Set a Supervisor password in the BIOS, and set the User
>access level to "No Access"
>
>In the BOOT options, Boot Device Priority, disable
>everything except the Hard Disk (as you normally would).
>
>In the Removable Drives and ATAPI CD-ROM Drives option,
>disable all shown devices. Also disable any other hard
>drives which may be in the PC (other than the one you want
>to boot from).
>
>Save and Exit.
>
>The user can still press F8, and get the boot option
>dialogue with all available devices listed, but regardless
>of which device they select the PC will boot from the hard
disk.
>
>Intel are working on a new BIOS release which will
>completely remove (or allow you to disable) the F8 option.
>
>
>Thanks to Intel & Viglen.co.uk for the workaround.
>
>
