BIOS hardware code for Intel Alder Lake processors was posted on 4chan
A few days ago on the net the news about the Alder Lake UFEI code leak had been released from Intel on 4chan and a copy was later published on GitHub.
About the case Intel, did not apply instantly, but has now confirmed the authenticity from UEFI and BIOS firmware source codes posted by an unknown person on GitHub. In total, 5,8 GB of code, utilities, documentation, blobs, and configurations related to the formation of firmware have been published for systems with processors based on the Alder Lake microarchitecture, released in November 2021.
Intel mentions that the related files have been in circulation for a few days and as such the news is being confirmed directly from Intel, which mentions that it wishes to point out that the matter does not imply new risks for the security of the chips and the systems in which are used, so it calls for not being alarmed about the case.
According to Intel, the leak occurred because of a third party and not as a result of a compromise in the company's infrastructure.
“Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this will expose any new security vulnerabilities, as we do not rely on information obfuscation as a security measure. This code is covered by our bug bounty program within Project Circuit Breaker, and we encourage any researcher who can identify potential vulnerabilities to bring it to our attention through this program. We are reaching out to both customers and the security research community to keep them informed about this situation." — Intel spokesperson.
As such it is not specified who exactly became the source of the leak (since for example OEM equipment manufacturers and companies developing custom firmware had access to the tools to compile the firmware).
About the case, it is mentioned that the analysis of the content of the published file revealed some tests and services specific of Lenovo products ("Lenovo Feature Tag Test Information", "Lenovo String Service", "Lenovo Secure Suite", "Lenovo Cloud Service"), but Lenovo's involvement in the leak also revealed utilities and libraries from Insyde Software, which develops firmware for OEMs, and the git log contains an email from one of the employees of L.C. Future Center, which produces laptops for various OEMs.
According to Intel, the code that went into open access does not contain sensitive data or components that may contribute to the disclosure of new vulnerabilities. At the same time, Mark Yermolov, who specializes in researching the security of Intel platforms, disclosed in the published file information about undocumented MSR logs (model-specific logs, used for microcode management, tracking, and debugging), information about which falls under a non-confidentiality agreement.
In addition, a private key was found in the file, which is used to digitally sign the firmware, who can potentially be used to bypass Intel Boot Guard protection (The key has not been confirmed to work, it may be a test key.)
It is also mentioned that the code that went into open access covers the Project Circuit Breaker program, which involves the payment of rewards ranging from $500 to $100,000 for identifying security problems in firmware and Intel products (it is understood that researchers can receive rewards to report vulnerabilities discovered by using the contents of the leak).
"This code is covered by our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researcher who can identify potential vulnerabilities to report them to us through this program," Intel added.
Finally, it is worth mentioning that regarding the data leak, the most recent change in the published code is dated September 30, 2022, so the information released is updated.