cancel
Showing results for 
Search instead for 
Did you mean: 

General Discussions

Intel CSME bug is worse than previously thought Researchers say a full patch requires replacing hardware. Only the latest Intel 10th generation CPUs are not affected.

From ZDNET: https://www.zdnet.com/article/intel-csme-bug-is-worse-than-previously-thought/?ftag=TRE-03-10aaa6b&b... 

Catalin Cimpanu

By Catalin Cimpanu for Zero Day | March 5, 2020 -- 14:00 GMT (06:00 PST) | Topic: Security

Intel CPU

Security researchers say that a bug in one of Intel's CPU technologies that was patched last year is actually much worse than previously thought.

"Most Intel chipsets released in the last five years contain the vulnerability in question," said Positive Technologies in a report published today.

Attacks are impossible to detect, and a firmware patch only partially fixes the problem.

To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said.


Bug impacts Intel CSME

The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).

The CSME is a security feature that's included with all recent Intel CPUs. It is considered a "cryptographic basis" for all other Intel technologies and firmware running on Intel-based platforms.

According to Mark Ermolov, Lead Specialist of OS and Hardware Security at Positive Technologies, the CSME is one of the first systems that start running and is responsible for cryptographically verifying and authenticating all firmware loaded on Intel-based computers.

For example, the CSME is responsible for loading and verifying UEFI BIOS firmware and the firmware for the PMC (Power Management Controller), the component that manages a chipset's power supply.

The CSME is also "the cryptographic basis" for other Intel technologies like Intel EPID (Enhanced Privacy ID), Intel Identity Protection, any DRM (Digital Rights Management) technologies, or firmware-based TPMs (Trusted Platform Modules).

In other words, the CSME is, basically, a "root of trust" for every other technology running on Intel chipsets.


Worse than previously thought

In May 2019, with the release of the Intel-SA-00213 security update, Intel patched a bug in Intel CPUs that impacted this root of trust -- the CSME.

At the time, the CVE-2019-0090 vulnerability was only described as a firmware bug that allowed an attacker with physical access to the CPU to escalate privileges and execute code from within the CSME. Other Intel technologies, like Intel TXE (Trusted Execution Engine) and SPS (Server Platform Services), were also listed as impacted.

But in new research published today, Ermolov says the bug can be exploited to recover the Chipset Key, which is the root cryptographic key that can grant an attacker access to everything on a device.

Furthermore, Ermolov says that this bug can also be exploited via "local access" -- by malware on a device, and not necessarily by having physical access to a system. The malware will need to have OS-level (root privileges) or BIOS-level code execution access, but this type of malware has been seen before and is likely not a hurdle for determined and skilled attackers that are smart enough to know to target the CSME.

The vulnerability happens, according to Ermolov, because the CSME firmware is left unprotected on the boot ROM during early booting. The Chipset Key can be extracted via various methods during this short interval, the researcher said.

"Applying the patch for SA-00213 prevents the ISH (Integrated Sensors Hub) exploitation vector, but doesn't fix the bug in CSME boot ROM," Ermolov told ZDNet in an email, explaining that the Intel firmware patch fixes only some of the problem.

Fully patching this attack vector will require replacing the CPU, the Positive Technology researchers said.


Jailbreaking CPUs to bypass DRM?

But while this vulnerability could be used for offensive purposes, like extracting a server's Chipset Key in order to decrypt traffic and other data, there's also another "niche" to which the bug might sound quite attractive.

Ermolov points out that the bug can also be used by users on their own computers for bypassing DRM protections and access copyright-protected content.

The researcher plans to release a white paper with more technical details later this spring, at which time, members of the online piracy community will most likely take an interest in this bug as well.

Contacted for comment, Intel reaffirmed that the bug can only be exploited via physical access and urged users to apply the May 2019 updates.

"Unfortunately, no security system is perfect," Positive Technologies said.

12 Replies

You have to wonder when a class action lawsuit is going to happen over these issues. In our business we are still running a lot of core 2 processors and they were still fine for Office work. However some of the mitigations already put in place to fix security flaws had already impacted performance. Now being told you are going to have to replace in reality 100% of you organizations devices is just crazy. 

Sure is a good reason to look to AMD for those new computers. Not saying they can't have their issues too but boy they sure have not had the issues than Intel has had, plus it certainly seems Intel knew the possibilities on may of these issues too and went the cheap route. 

0 Likes

Maybe Intel will give a discount to certain sized businesses to switch to a unaffected Intel processors. But I seriously doubt that will happen unless as you mentioned a Class Action lawsuit is filed against Intel.

Good chance of AMD to take advantage and maybe offer special prices on replacing affected Intel processors with AMD processors or computers.

Either way is a lose-lose situation for businesses with many Intel computers.

0 Likes

It would be a great PR move to offer a discount or rebate for Intel CPU owners by AMD if they buy a new AMD system.  I could see companies like Dell an HP getting on board with move like that. The likely behind the scenes backlash by Intel though would be brutal. 

I am just glad that so far AMD seems to be mostly unscathed by these issues. 

0 Likes
bearcat22
Miniboss

Other than lab results has anybody ever heard of a system that's been hacked by this method? And if there's been no real world exploitation I'd like to know why. Something isn't right about this whole situation. But I can see a bunch of companies making a ton of money over it. 

0 Likes

I was thinking the same thing. Need to wait until other Security firms can test and verify the bug found by Positive Technology.

But if found to be true and verifiable than companies that have Intel computers with sensitive data, no matter how remote of a chance of being hacked, will be vulnerable.

0 Likes

With a home computer I would say the use of a compromised chip is negligible. The problem in the corporate world is the term "due diligence". A company responsible for sensitive data has to show that they have done a reasonable job thwarting a potential malware attack. This has already had precedent setting cases in court. So continued use of a processor that ends up getting breached would likely greatly increase any jury award against a company that compromised data. It would also give insurance companies normally on the hook for covering damages and escape clause. So while expensive to fix it is still cheaper than what the theoretical damages could be. 

0 Likes

Interesting, Good explanation. So does "due diligence" come into affect on a possible security issue that hasn't be verified by other sources yet or an security issue that has be verified by several sources?

0 Likes

As far as I know there is no major checklist anywhere to make sure you cover your bases. However IT professionals are expected to stay on top of current trends, both malware itself and the protection against it. Our company for instance is audited by a 3rd party yearly for its IT planning, security and implementation. They specifically look at what security you are using and that is it up to date, how you are handling patch management etc... The new thing last year was the inclusion of specifically asking about hardware and bios and firmware patching. This is an area in the past that is hugely overlooked. It is also an area that I have done a good job of realizing the potential for intrusion. I have made sure to the best of my ability that hardware drivers and firmware are up to date as these are huge areas where intrusion begins.  These type of audits are often required by insurance and or lending institutions that financially back your business. 

I would say that in the case of an unknown security breach happening due to an unpublished or never before exploited hack being a sole reason for insurance being able to deny a claim unlikely. However if you couple that with for instance a router that is outdated and unsupported and having Windows 7 machines on your network and having unpatched work stations, combined with not having you infrastructure properly locked down. Then you have not done due diligence and you have given everyone all the ammunition needed to sue you and not cover your losses. 

I go to a major tech summit every May in my town and the past 4 years this has been the biggest topic at these meeting.

Last summer I put in a new Sonic Wall that has much better security than my older Cisco Small Business router that was announced as end of life and would be getting no more updates. So say for instance this summer we get hacked. I can show that I put in place a new better and supported router. I can show that all my servers and workstations are running currently supported OS's and have all critical patches installed. I can show they are running security software that is up to date and that can be a simple as Windows Defender.  I have a couple of Widows 7 machines that run proprietary equipment that it is impossible to update, however on those machines I have blocked access from them using the internet and document when it was done. That is an example of doing "due diligence".

The problem is that while I can't really prove what I am saying, my best guess is that likely half of all small business are not doing even a minimal job of securing IT infrastructure and their customers data. 

One of the comments made at the Tech Summit a couple years ago though made me really reflect on just how trivial all you do to protect you environment really is. The speaker was commenting on how the really good high level hackers, like government level or corporate sponsored could have software running and you would never know it. The best malware doesn't bog down you machine or make itself known in any way. It just silently does its job and you hope that eventually your malware detection software will catch it. 

Seems like the new vulnerabilities found on AMD processors can be patched either through Hardware or software or both. It mentions that AMD doesn't have a fix yet.

Whereas, The Intel bug in the article, you need to physically replace the processor for a 10th generation Intel to fix it.  That is if the Intel bug can be validated by other security sources.

If the Intel bug is validated than it is a big difference between AMD bugs which seems to be fixable with a patch and Intel which isn't fixable even with a patch. The only fix for the newly discovered Intel bug, if true, is replacing the processor with a 10th generation Intel processor.

0 Likes

Another day, another vulnerability, and this one affects 10th generation Intel chips even with existing Meltdown-type fixes. Intel's response is that it's so difficult to take advantage of that it's not going to be, and that's likely true.

https://www.tomshardware.com/news/load-value-injection-vulnerability-found-in-intel-chips

A discrete TPM chip, like my Lenovo laptops have, can provide secure boot. The intel management can be disabled outright eliminating problems.

A TPM for my MSI motherboards is about 40 peso which is one solution. The BIOS is not as rich as I need for security issues but then again MSI is not Lenovo which is the corporate choice.

0 Likes