Security researchers find vulnerability in secure module Intel chips
Security researchers have found a vulnerability found in most modern Intel CPUs. The vulnerability resides in the Converged Security and Management Engine and can be exploited to take over various security components of the chips.
The vulnerability was discovered by security researchers at Positive Technologies Security. They took it to Intel. The vulnerability had been eyeing this for some time under the code CVE-2019-0090. The company has since released a mitigation for the vulnerability, but according to the researchers at PT Security, this is not enough to completely solve the problem. The bug allegedly abuses the chips’ hardware. However, a practical attack is expensive and complicated. The company has not yet provided any details about the vulnerability. A white paper should come soon.
The vulnerability is in a subsystem of Intel CPUs from recent years. The tenth generation chips would not be vulnerable. The weakness is specifically in the Converged Security and Management Engine, or CSME. That is the part of a chip in which various security aspects are implemented, such as Intel’s own Trusted Platform Module, but also Microsoft’s Bitlocker and the authentication of uefi firmware. The error is in the mask rom, a hardware part of the chip. The bootrom portion of the chip has a short period of time during boot where it is vulnerable, allowing attackers to steal the chipset key. However, it is encrypted, and its key is in the ‘Secure Key Storage’. At the moment, according to the researchers, it is not just possible to remove it from the bootrom, but that would ‘only be a matter of time’. Moreover, that key is not platform-dependent – with one key, all stolen chipset keys could in theory be decrypted.
Attackers who know how to abuse the vulnerability can in this way, among other things, leak information from the secure part and carry out privilege escalation. Intel writes that CPUs with CSME versions older than 11.8.65, 11.11.65, 11.22.65 and 12.0.35 are vulnerable. They are in CPUs that came out in the last five years. However, according to researchers at PT Security, older CPUs could also be vulnerable. Intel itself says the vulnerability can only be exploited when attackers have physical access to a machine.