A new vulnerability was discovered in Intel processors and cannot be fixed

intel bug

Researchers from Positive Technologies have identified a new vulnerability (CVE-2019-0090) that allows physical access to the computer to extract the root key of the platform (the chipset key), which is used as the root of trust in authenticating various platform components, including TPM (Trusted Platform Module firmware) and UEFI.

Vulnerability it is caused by an error in the hardware and firmware Intel CSME, which it is located in the boot ROM, which is quite serious since this error cannot be fixed in any way.

The CVE-2019-0090 vulnerability refers to the converged security and management engine (CSME) on most Intel CPUs released in the last five years, with those XNUMXth gen iterations being the exception.

It is a big problem because it provides the cryptographic checks low level when the motherboard boots, among other things. It's the first thing you run when you hit the power switch and the root of trust for everything that follows.

Due to the presence of a window during the restart of Intel CSME for example, when coming out of sleep mode.

Through manipulations with DMA, data can be written to Intel CSME static memory and memory page tables can be changed Intel CSME already initialized to intercept the execution, extract the key from the platform and receive control over the generation of encryption keys for Intel CSME modules. Details of the vulnerability exploit are planned to be released later.

In addition to extracting the key, the error also allows code execution at privilege level zero from Intel CSME (Converged Manageability and Security Engine).

Intel noticed the problem about a year ago and in May 2019 updates were released firmware that, although they can't change the vulnerable code in the ROM, although they are reported to be "trying to block possible operational paths at the level of individual Intel CSME modules."

According to Positive Technologies, the solution only closes one vector of exploitation. They believe that there are more methods of attack and some do not require physical access.

"There could be many ways to exploit this vulnerability in ROM, not all require physical access, some only access related to local malware."

According to Mark Ermolov, Senior Hardware and OS Security Specialist at Positive Technologies, due to its location, the flaw is similar to the Checkm8 boot ROM exploit for iOS devices which was revealed in September and is considered a permanent jailbreak.

Among the possible consequences to obtain the root key of the platform, Intel CSME component firmware support is mentioned, the commitment of encryption systems media based on Intel CSME, as well as the possibility of spoofing EPID (Enhanced Privacy ID) to move your computer to another to bypass DRM protection.

In the event that individual CSME modules are compromised, Intel has provided the ability to regenerate the keys associated with them using the SVN (Security Version Number) mechanism.

In case of access to the root key of the platform, this mechanism is not effective since the root key of the platform is used to generate a key for the encryption of the Integrity Control Value Blob (ICVB), whose receipt, at in turn, it allows forging the code of any of the Intel CSME firmware modules.

This could be the biggest problem Intel would be facing, since previous problems such as specter or meltdown have been mitigated, but this is a big problem because the fault is in the ROM and as the researchers mention this fault cannot be solved in any way.

And although Intel is working to be able to "try to block" the possible routes, whatever they do it is impossible to solve the failure.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.