Architecture flaw in older x86 CPUs Intel allows rootkit – update

A design flaw in Intel x86 CPUs several years old makes it possible to gain extensive access to a system from a process with administrative user rights. That allows rootkits that can never be detected. Newer CPUs are not affected.

The design flaw makes it possible to break from a process with administrative rights to system management mode, the deepest layer in which x86 CPUs can operate. Security researcher Christopher Domas made the announcement at the Black Hat security conference in Las Vegas. Intel has solved the problem in Core i CPUs since 2011 (Sandy Bridge and later) and Atom CPUs since 2013. “Intel was a little bit ahead of me,” said Domas, who insists, however, that “hundreds of millions devices are vulnerable. AMD CPUs may also be vulnerable, but Domas has not investigated this.

Normally, the operating system cannot access smm, because that mode uses its own portion of memory that cannot be described by the operating system. Due to an unrelated feature that Intel added twenty years ago for compatibility with older systems, this so-called smram can still be accessed from the operating system.

System management mode was originally built in for energy management, but now has a lot of functionality on board. For example, the trusted platform module, in which encryption keys can be stored, is housed in smm. The operating system can’t see what’s happening at the smm level, and it’s invisible to any hypervisors either, making smm a perfect place to host malware. Secure boot is also regulated by smm.

During his presentation, Domas showed how the design flaw – which is not a bug, the researcher emphasizes – allowed him to get root on a Linux system, but the flaw also works on other operating systems, because it is a physical design flaw in the processor. An attacker could also install a rootkit that is invisible to the operating system and remains present when an operating system is reinstalled. In theory, an attacker could even set a vulnerable laptop on fire, because SMM is about power management, Domas argues.

For a successful attack, an attacker would first need to be able to run code on a system. This can be done, for example, by enticing a user to run a program, but vulnerabilities in programs can also be abused. Especially if users forget to install security updates, that is a real problem. The user must also be able to obtain root rights; a different exploit will have to be used for that.

The flaw resides in code once built for the advanced programmable interrupt controller, part of an x86 CPU that is no longer being built. The apic took up some of the memory that was used for other purposes on previous CPUs. To avoid problems with older CPUs, a feature was built in to move apic to a different address in memory.

Although the apic is no longer a standalone part of an x86 CPU, Intel’s legacy code is still present, and that code can be used to load custom instructions in system management mode. This is possible with only eight instructions, emphasizes Domas.

“The only way to completely solve the problem is to release a new CPU,” said Domas; Firmware updates are mustard after meals, he says, because a user can already be infected. Intel has already released a new version. According to Domas, it is the second vulnerability found in x86 CPUs themselves. “But I think there are even more problems,” he says. The x86 architecture contains forty years of legacy and is incredibly complicated.

Update, 03:18: This article initially stated that a process with normal rights can exploit the error. However, a process must have administrative rights. The article has been adapted accordingly.