Lenovo recently deployed the Intel fixes and wrote in its bog that the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware.
Most of the time you would get a visible malfunction, but the bug "could in rare circumstances result in arbitrary code execution".
Intel deployed fixes for this vulnerability (CVE-2017-5703) on April 3. The chipset maker says the following CPU series utilize unsafe opcodes that allow local attackers to take advantage of this security bug:
8th generation Intel Core Processors
7th generation Intel Core Processors
6th generation Intel Core Processors
5th generation Intel Core Processors
Intel Pentium and Celeron Processor N3520, N2920, and N28XX
Intel Atom Processor x7-Z8XXX, x5-8XXX Processor Family
Intel Pentium Processor J3710 and N37XX
Intel Celeron Processor J3XXX
Intel Atom x5-E8000 Processor
Intel Pentium Processor J4205 and N4200
Intel Celeron Processor J3455, J3355, N3350, and N3450
Intel Atom Processor x7-E39XX Processor
Intel Xeon Scalable Processors
Intel Xeon Processor E3 v6 Family
Intel Xeon Processor E3 v5 Family
Intel Xeon Processor E7 v4 Family
Intel Xeon Processor E7 v3 Family
Intel Xeon Processor E7 v2 Family
Intel Xeon Phi Processor x200
Intel Xeon Processor D Family
Intel Atom Processor C Series
The bug has received a severity score of 7.9 out of 10 on the CVSSv3 scale. Intel said it discovered the bug all by itself and it didn't need any hackers to point out the error of its ways. That might explain why it was kept secret for so long..
The problem is root-caused, and the mitigation is known and available, the company said in a security advisory. "To Intel’s knowledge, the bug has not been seen externally. Intel has released updates that PC and motherboard vendors are expected to deploy as firmware patches or BIOS/UEFI updates."