CVE-2015-5914

Vulnerability

The EFI component in Apple OS X before 10.11 allows physically proximate attackers to modify firmware during the EFI update process by inserting an Apple Ethernet Thunderbolt adapter with crafted code in an Option ROM, known as a "Thunderstrike" issue. This vulnerability exists due to an incomplete fix for CVE-2014-4498 [1][2].

Exploitation

An attacker requires physical proximity to the target Mac and must insert a malicious Thunderbolt adapter with crafted Option ROM code during a firmware update. The attacker must also persuade the user to perform a legitimate firmware update while the adapter is connected. On older MacBooks, a downgrade attack to a vulnerable EFI version is possible, bypassing signature checks [2].

Impact

Successful exploitation gives the attacker the ability to rewrite the EFI firmware, enabling persistent code execution at the firmware level. This completely bypasses operating system security controls, allowing the attacker to install a bootkit that can compromise all data and operations on the system [2].

Mitigation

Apple addressed this vulnerability in OS X El Capitan v10.11 [1]. According to the Thunderstrike FAQ, a fix that prevents loading Option ROMs during firmware updates is shipping for newer Macs and should be available for older systems. No workarounds are available besides applying the security update [2].