A little over a month ago, we reported on a speculative execution vulnerability found in Intel CPUs, adding to the growing list of similar vulnerabilities. However, yesterday, a team of security researchers revealed a new kind of vulnerability in Intel CPUs. Positive Technologies published a blog post detailing a flaw in Intel’s Converged Security and Management Engine (CSME) firmware.
Intel CSME is the cryptographic basis for hardware security technologies developed by Intel and used everywhere, such as DRM, fTPM, and Intel Identity Protection.
This flaw is located in the Read-Only-Memory (ROM), which means it is hard-coded and so cannot be fixed. This feature of the vulnerability sets it apart from all the speculative execution vulnerabilities, which can be patched. That said, according to the blog post, when the security group reached out to Intel in order to report the vulnerability, they found that Intel already knew about the vulnerability and was attempting to address it. The vulnerability was registered last year in the Common Vulnerabilities and Exposures system as CVE-2019-0090, and has a vulnerability score of 7.1 (high).
Intel understands they cannot fix the vulnerability in the ROM of existing hardware. So they are trying to block all possible exploitation vectors. The patch for CVE-2019-0090 addresses only one potential attack vector, involving the Integrated Sensors Hub (ISH). We think there might be many ways to exploit this vulnerability in ROM. Some of them might require local access; others need physical access.
The vulnerability affects all Intel chipsets and SoCs currently available, excepting Ice Point. The widespread nature of the vulnerability is not good news for those who own devices with Intel CPUs manufactured in the last five years.
By exploiting vulnerability CVE-2019-0090, a local attacker could extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key. Worse still, it is impossible to detect such a key breach. With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim’s computer. EPID is used in DRM, financial transactions, and attestation of IoT devices.
Share
Question & Answers (8)
Leave a Comment
Nathan Wasson
When most users use an OS which regularly reports remote execution vulnerabilities, how is your comment meaningful?
Nah, it is more like AMD fanboys will try to downplay the impact of this. (It does effect more than DRM).
Besides, AMD has own their problem.
https://www.tomshardware.com/news/new-amd-side-channel-attacks-discovered-impacts-zen-architecture
Not a big deal for regular consumers, but a huge issue for any corporate or government computer with sensitive information on it; shady contractors or people pretending to be maintenance, or similar situations might let a person get brief physical access, and from what I can tell, that would be enough to pull data off that the corp/gov previously thought would be safely encrypted.
Since this breaks DRM, if AMD did it then there would be millions of fanboys posting here about how this is a feature and that Lisa Su is their hero.
Yeah, somebody should tell Microsoft and Apple that they wasted their time with bitlocker/FileVault.
If it requires the dude to sit at our computer, the vulnerability is inconsequential to most consumers.
Intel: We already cancelled security in our products!
So DRM is being hacked?
Yawn.