Intel Direct Connect Interface Can Be Enabled - us

2017-04-12T00:00:00
ID LENOVO:PS500095-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-04-12T00:00:00

Description

Lenovo Security Advisory: LEN-13640

Potential Impact: Denial of service or accessing of data on a system by an attacker with physical access

Severity: Medium

Scope of Impact: Industry-Wide

CVE Identifier: CVE-2017-5684

Summary Description:

In 2015, starting with the Skylake processor family, Intel introduced a Direct Connect Interface (DCI) which provides access via USB 3.0 ports to a debugging interface used for system development. Concerns have been raised that this interface could allow someone with malicious intent and physical access to a system the ability to create a denial-of-service attack or access data on the system.

A vulnerability has been identified where an attacker with administrative access as well as physical access to a system’s USB port could enable DCI. Intel has released an update that disables this access and this fix has been incorporated in the latest version of Lenovo UEFI BIOS for affected systems.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update your system BIOS by following the readme file at the links below. Think and Lenovo brand notebooks and desktops may also automatically update BIOS with Lenovo System Update.

Product Impact: