Intel has addressed a vulnerability in the configuration of several CPU series that allow an attacker to alter the behavior of the chip's SPI Flash memory —a mandatory component used during the boot-up process [1, 2, 3].

According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware."

Lenovo engineers say "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution."

Intel deployed fixes for this vulnerability (CVE-2017-5703) on April 3. The chipset maker says the following CPU series utilize unsafe opcodes that allow local attackers to take advantage of this security bug:

8th generation Intel® Core™ Processors

7th generation Intel® Core™ Processors

6th generation Intel® Core™ Processors

5th generation Intel® Core™ Processors

Intel® Pentium® and Celeron® Processor N3520, N2920, and N28XX

Intel® Atom™ Processor x7-Z8XXX, x5-8XXX Processor Family

Intel® Pentium™ Processor J3710 and N37XX

Intel® Celeron™ Processor J3XXX

Intel® Atom™ x5-E8000 Processor

Intel® Pentium® Processor J4205 and N4200

Intel® Celeron® Processor J3455, J3355, N3350, and N3450

Intel® Atom™ Processor x7-E39XX Processor

Intel® Xeon® Scalable Processors

Intel® Xeon® Processor E3 v6 Family

Intel® Xeon® Processor E3 v5 Family

Intel® Xeon® Processor E7 v4 Family

Intel® Xeon® Processor E7 v3 Family

Intel® Xeon® Processor E7 v2 Family

Intel® Xeon® Phi™ Processor x200

Intel® Xeon® Processor D Family

Intel® Atom™ Processor C Series

The bug has received a severity score of 7.9 out of 10 on the CVSSv3 scale. Intel said it discovered the issue internally.

"Issue is root-caused, and the mitigation is known and available," the company said in a security advisory. "To Intel’s knowledge, the issue has not been seen externally."

Intel has released updates that PC and motherboard vendors are expected to deploy as firmware patches or BIOS/UEFI updates.