CVE-2022-0004 The debug modes and INIT setting for Intel processors can be abused to escalate privilege.

While this may only be possible under specific circumstances, such as system rebuilds, it may be possible to enable Intel(R) Boot Guard or Intel(R) TXT if physical access to the system can be obtained. Additionally, an attacker may be able to compromise a system via a remote connection to turn on Intel(R) Boot Guard or Intel(R) TXT. Due to the potential impact, Intel is releasing details on how to turn on and disable Intel(R) Boot Guard and Intel(R) TXT.

How to Turn On Intel(R) Boot Guard or Intel(R) TXT

**Intel(R) Boot Guard or Intel(R) TXT can be enabled on a system with physical access to the system.**
1. Power off the system and remove power from the device.
2. Enter BIOS and change the boot order to boot from an external device, such as a USB or CD-ROM drive, before booting your operating system.
3. Re-enable BIOS settings and restart the system.

What is Intel(R) Boot Guard?

Intel(R) Boot Guard is a feature that protects the boot process on x86 and Intel Itanium-based processors. In Intel(R) Boot Guard, an encrypted code that can only be decrypted by a key known only to the system's firmware is loaded into memory at boot. If any unauthorized access to the system's firmware occurs, it will trigger an immediate abort of the system's boot process, leading to a denial-of-service condition.

How to Turn on Intel(R) Boot Guard or Intel(R) TXT

To turn on Intel(R) Boot Guard or Intel(R) TXT, you must have physical access to the system. To enable Intel(R) Boot Guard or Intel(R) TXT, perform the following steps:
1. If you are in a BIOS configuration utility and not in a boot menu, enter the following command:
2. If you are in a boot menu (for example, after power-on), enter one of the following commands:
3. Reboot your system and enter one of the following commands at the prompt:
4. For systems without an UEFI 2.5+ compliant firmware such as those with older versions of EFISTUB/EFI bootloader/BIOS, see "How to Enable UEFI 2.5+ Compatible Firmware for Systems Without UEFI 2.5+ Compatible Firmware" for instructions on enabling this feature on older systems without UEFI 2.5+ compatibility support for firmware updates.

Timeline

Published on: 05/12/2022 17:15:00 UTC
Last modified on: 06/10/2022 20:52:00 UTC

References

• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00613.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0004