CVE-2020-0591 Overview
CVE-2020-0591 is a firmware vulnerability affecting BIOS firmware for a broad range of Intel processors. The flaw stems from improper buffer restrictions in the BIOS firmware. A locally authenticated user with high privileges can leverage this weakness to escalate privileges on the affected system. The vulnerability impacts Intel Xeon Scalable, Xeon W, Xeon D, and Core X-series processors, as well as Siemens SIMATIC CPU 1518-4 and 1518F-4 industrial controllers that incorporate the affected Intel platforms. Exploitation requires local access and elevated privileges, limiting remote attack scenarios. Intel addressed the issue in security advisory INTEL-SA-00358.
Critical Impact
A privileged local user can exploit improper buffer restrictions in affected Intel BIOS firmware to escalate privileges, compromising the confidentiality, integrity, and availability of the host platform.
Affected Products
- Intel Xeon Scalable processors (Bronze, Silver, Gold, Platinum families) and Intel Xeon W, Xeon D, and Core X-series processors running affected BIOS firmware
- Siemens SIMATIC CPU 1518-4 and CPU 1518F-4 PLC firmware
- NetApp products incorporating affected Intel platforms (per NetApp advisory NTAP-20201113-0001)
Discovery Timeline
- 2020-11-12 - CVE-2020-0591 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0591
Vulnerability Analysis
The vulnerability resides in the BIOS firmware shipped with multiple generations of Intel server, workstation, and high-end desktop processors. Improper buffer restrictions in firmware code paths allow a privileged process to write or read outside intended memory boundaries during BIOS-mediated operations. Because BIOS firmware executes with the highest hardware privilege levels, including System Management Mode (SMM), a successful exploit grants the attacker control beyond what the operating system can constrain. The flaw is local in nature and requires that the attacker already hold administrative or root-level privileges on the host. Successful exploitation can lead to persistent code execution below the operating system, enabling tampering with platform firmware, undermining secure boot, and surviving OS reinstallation.
Root Cause
The root cause is insufficient validation of buffer sizes or indices within BIOS firmware routines provided by Intel reference code. Without strict boundary enforcement, attacker-controlled inputs reaching these routines can cause out-of-bounds memory access. NVD categorizes the weakness as NVD-CWE-noinfo because Intel did not publish a specific CWE classification in the advisory.
Attack Vector
Exploitation requires local access and high privileges on a vulnerable system. An attacker with administrator or root permissions can invoke the affected BIOS interfaces, typically through SMM communication buffers, UEFI runtime services, or vendor-specific firmware interfaces, to trigger the buffer mishandling. No user interaction is required, and the attack remains confined to the local platform. The impact extends across confidentiality, integrity, and availability of the firmware layer.
No verified public proof-of-concept code is available for this issue. Refer to the Intel Security Advisory SA-00358 for vendor technical details.
Detection Methods for CVE-2020-0591
Indicators of Compromise
- Unexpected BIOS or UEFI firmware version changes that do not align with authorized maintenance windows.
- Unsigned or unrecognized SMM modules surfaced by firmware integrity tools such as CHIPSEC.
- Platform measurements in the TPM event log diverging from known-good baselines after a reboot.
Detection Strategies
- Inventory firmware versions across affected Intel processor families and compare them against the patched versions listed in INTEL-SA-00358.
- Run firmware assessment tooling such as Intel-provided detection utilities or CHIPSEC to identify systems still running vulnerable BIOS images.
- Correlate privileged process activity with BIOS update or SMI handler invocations in endpoint telemetry to identify abnormal firmware interactions.
Monitoring Recommendations
- Monitor administrative actions that touch firmware update interfaces, flashrom, vendor flashing utilities, or UEFI variable writes.
- Alert on changes to UEFI Secure Boot configuration, boot order, or platform configuration variables.
- Track TPM PCR values and Measured Boot logs for unexpected drift indicating firmware tampering.
How to Mitigate CVE-2020-0591
Immediate Actions Required
- Apply the BIOS firmware updates referenced in Intel Security Advisory SA-00358 from the system or motherboard vendor.
- For Siemens SIMATIC CPU 1518-4 and 1518F-4 controllers, apply the updates described in Siemens Security Advisory SSA-501073.
- For affected NetApp platforms, follow the remediation steps in NetApp Security Advisory NTAP-20201113-0001.
- Restrict administrative and root access on affected systems to reduce the population of users who could trigger the vulnerability.
Patch Information
Intel released updated BIOS firmware addressing CVE-2020-0591 as part of INTEL-SA-00358. System integrators including Siemens and NetApp issued downstream advisories with platform-specific firmware versions. Patches must be obtained from the original equipment manufacturer for each affected platform, since BIOS updates are not delivered directly by Intel.
Workarounds
- Enforce least privilege on the host so that fewer accounts hold the elevated rights required for local exploitation.
- Enable and verify UEFI Secure Boot, BIOS write protection, and BIOS administrator passwords on managed systems.
- Segment industrial control systems such as Siemens SIMATIC PLCs from general IT networks until firmware updates are applied.
# Example: enumerate BIOS version on Linux to validate patch status
sudo dmidecode -s bios-version
sudo dmidecode -s bios-release-date
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
