Friday, March 6th 2020

Researchers Find Unfixable Vulnerability Inside Intel CPUs

Researchers have found another vulnerability Inside Intel's Converged Security and Management Engine (CSME). For starters, the CSME is a tiny CPU within a CPU that has access to whole data throughput and is dedicated to the security of the whole SoC. The CSME system is a kind of a black box, given that Intel is protecting its documentation so it can stop its copying by other vendors, however, researchers have discovered a flaw in the design of CSME and are now able to exploit millions of systems based on Intel CPUs manufactured in the last five years.

Discovered by Positive Technologies, the flaw is lying inside the Read-Only Memory (ROM) of the CSME. Given that the Mask ROM is hardcoded in the CPU, the exploit can not be fixed by a simple firmware update. The researchers from Positive Technologies describe it as such: "Unfortunately, no security system is perfect. Like all security architectures, Intel's had a weakness: the boot ROM, in this case. An early-stage vulnerability in ROM enables control over the reading of the Chipset Key and generation of all other encryption keys. One of these keys is for the Integrity Control Value Blob (ICVB). With this key, attackers can forge the code of any Intel CSME firmware module in a way that authenticity checks cannot detect. This is functionally equivalent to a breach of the private key for the Intel CSME firmware digital signature, but limited to a specific platform."
Every CPU manufactured in the last 5 years is subject to exploit, except the latest 10th generation, Ice Point-based chipsets and SoCs. The only solution for owners of prior generation CPUs is to upgrade to the latest platform as a simple firmware update can not resolve this. The good thing, however, is that to exploit a system, an attacker must have physical access to the hardware in question, as remote exploitation is not possible.
Sources: Positive Technologies, Thanks to the biffzinker for the tip
Add your own comment

29 Comments on Researchers Find Unfixable Vulnerability Inside Intel CPUs

#2
spnidel
pretty funny when the reaction to yet another vulnerability from people is the equivalent of yawning
indicative of just how much intel fucked up lol
Posted on Reply
#3
oldtimenoob
physical access to the hardware is required, so here is an idea.... lock the server room door... (Best firmware update)
Posted on Reply
#4
comtek
Must have physical access to the hardware?
lol
Posted on Reply
#5
Dredi
oldtimenoob
physical access to the hardware is required, so here is an idea.... lock the server room door... (Best firmware update)
The article is not correct in this regard. Local access should be enough, as in able to execute some code with raised privileges. So you are safe if you never execute 3rd party code. Time to disable that javascript from your browser.
Posted on Reply
#6
bonehead123
Hummm...wondering just how long intel has known about this.....probably for quite some time, based on the chip timeline noted in the article ..:mad::mad::mad:

time to lawyer up & get ready for yet anutha giga-mega $$$ hooplahfest against them...
Posted on Reply
#7
Jeager
Is it sponsored by Intel ? I mean : Every CPU manufactured in the last 5 years is subject to exploit, except the latest 10th generation
Marketing move ? :peace:
Posted on Reply
#8
Dave65
OOPS. Sad days @ Intel!
Posted on Reply
#9
Thefumigator
So... what would be the icon for such vulnerability?
we already got these:

This is important. We need an icon. Period.
Posted on Reply
#10
windwhirl
Thefumigator
So... what would be the icon for such vulnerability?
we already got these:

This is important. We need an icon. Period.
Not every research team has an artist. Or a marketing subteam lol
Posted on Reply
#11
john_
Researchers Find Unfixable Vulnerability Inside Intel CPUs
Posted on Reply
#12
rtwjunkie
PC Gaming Enthusiast
So, much ado about nothing, since physical access is required.
Dredi
Time to disable that javascript from your browser
Is anyone still using that?
Posted on Reply
#13
TheinsanegamerN
Dredi
The article is not correct in this regard. Local access should be enough, as in able to execute some code with raised privileges. So you are safe if you never execute 3rd party code. Time to disable that javascript from your browser.
Source?

Also, if you are going there, there is tons of other things you can do with raised local privlidges. An exploit allowing remote execution of elevated privlidges is far worse then this "requires local access" attack is. For general users, the risk is still "0".
Posted on Reply
#14
Dredi
rtwjunkie
So, much ado about nothing, since physical access is required.


Is anyone still using that?
Read the original article. Physical access is not required. The first proof of concept needed it, but they think that it is possible to work around that limitation.
TheinsanegamerN
Source?

Also, if you are going there, there is tons of other things you can do with raised local privlidges. An exploit allowing remote execution of elevated privlidges is far worse then this "requires local access" attack is. For general users, the risk is still "0".
Lots of things yes, but things that are virtually undetectable by any means less so.
Also one can argue that the risk is ”0” for almost any and all exploits, as you don’t have anything valuable on your computer anyway.
Posted on Reply
#15
AnitaYK
Jeager
Is it sponsored by Intel ? I mean : Every CPU manufactured in the last 5 years is subject to exploit, except the latest 10th generation
Marketing move ? :peace:
THIS
Posted on Reply
#16
milewski1015
Another day, another Intel security flaw :rolleyes:

Just curious, what would an exploit of this nature allow someone to do?
Posted on Reply
#17
lexluthermiester
I said this in the other thread about this new one and I'll echo it here;
lexluthermiester
Mitigation is the same as any of the rest of the vulnerabilities relating to Intel ME: disable the hardware, uninstall any relating drivers and software and use a network device not wired(built-on) to the motherboard itself. These steps will completely mitigate the vulnerabilities relating to this new discovery.
This of course is a recommendation for general users at home or professional/business users who have no need of the functions IME provides.
milewski1015
Just curious, what would an exploit of this nature allow someone to do?
Complete access and control of the system in question.
Posted on Reply
#18
rtwjunkie
PC Gaming Enthusiast
lexluthermiester
I said this in the other thread about this new one and I'll echo it here;

This of course is a recommendation for general users at home or professional/business users who have no need of the functions IME provides.

Complete access and control of the system in question.
So, an add-in NIC card would mitigate it, since it is not built on the motherboard? Or did I misunderstand you?
Posted on Reply
#19
lexluthermiester
rtwjunkie
So, an add-in NIC card would mitigate it, since it is not built on the motherboard? Or did I misunderstand you?
Yes. The software also has to be removed so the network resources are not dynamically reassigned/reallocated.
Posted on Reply
#20
CrAsHnBuRnXp
milewski1015
Another day, another Intel security flaw :rolleyes:

Just curious, what would an exploit of this nature allow someone to do?
Watch untraceable pr0n.
lexluthermiester
Complete access and control of the system in question.
Which already is a thing if youre in front of the damn thing.
Posted on Reply
#21
Dredi
CrAsHnBuRnXp
Watch untraceable pr0n.


Which already is a thing if youre in front of the damn thing.
What a sick burn! Too bad that this allows for things to happen even without physical access.
Posted on Reply
#22
lexluthermiester
Dredi
Too bad that this allows for things to happen even without physical access.
Nope, reread the documentation. Physical access is required.
CrAsHnBuRnXp
Which already is a thing if youre in front of the damn thing.
True, for the first stage of the attack, once successful all the rest can be done remotely.
Posted on Reply
#23
R-T-B
This is actually incredibly useful for those desiring to overwrite the Intel ME with their own firmware.

If only I had the time...
Posted on Reply
#24
voltage
1: "except the latest 10th generation, Ice Point-based chipsets and SoCs."

2: "remote exploitation is not possible."

that is all that matters to me. doubtful old amd platforms are much better.
Posted on Reply
#25
Cheeseball
Not a Potato
Dredi
What a sick burn! Too bad that this allows for things to happen even without physical access.
Currently, CVE-2019-0090 states that exploiting this requires physical access to the target machine.

They are still exploring how to exploit this through a virtual machine (since they use IOMMUs to map out to the memory), but the exploit needing DMA to get into the Intel CSME makes that difficult without directly connecting to the hardware.
Posted on Reply
Add your own comment