Jump to content

"Unfixable" Security flaw found in Intel CPUs

Security specialists at Positive Technologies claim to have found an unfixable security flaw in Intel CPUs. Specifically in the Converged Security and Management Engine (CSME). They claim that while it is difficult to exploit it is a vulnerability that cannot be patched and can lead to the execution of malicious code and commandeering of the entire PC.

 

Quote

The weakness was spotted and reported to Intel by Positive Technologies, an infosec outfit that has previously prodded and poked Chipzilla's Management Engine. Although Positive announced its findings today, it is withholding the full technical details until a whitepaper about it all is ready.

The CSME is the built in "hypervisor" on Intel CPUs that initializes the boot up process for the chip as a whole.

Quote

CSME, which has its own 486-based CPU, RAM and boot ROM, is the first thing that runs when you boot up your computer. One of the first things it does is protect its own memory, but before that happens, there's a brief moment when it's vulnerable. If hackers have local or physical access to a machine, they might be able to fire off a DMA transfer to that RAM, overwriting it and hijacking code execution.

They claim that the vulnerability is baked into the silicon itself and cannot be patched away. And physical access to the device could result in backdoors that are undetectable and pervasive.

Intel believes they have fixed any vulnerabilities that do not require physical access to the machine, but that only maintaining physical security can protect against this vulnerability.

 

Quote

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates to address the vulnerability. Check the Intel website for the latest recommendations on mitigation of vulnerability CVE-2019-0090.

Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs. In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important.

This is much harder to exploit than earlier security flaws but could result in compromised security that the end user is never aware of and could even allow access to encrypted data. They claim the latest 10th gen no longer has this problem but time and continued research will tell.

 

Link to comment
Share on other sites

Link to post
Share on other sites

This is very worrying, especially coming from a company as big as Intel

Link to comment
Share on other sites

Link to post
Share on other sites

Another one?

Bethesda PC:   R7 3700X  -  Asrock B550 Extreme 4  -  Corsair Dominator Platinum RGB 16GB@3.6GHz -  Zotac AMP Extreme 1080TI -  Samsung 860 Evo 256GB  -  WD Blue 2TB SSD -  500DX  -  Stock cooling lul  -  Rm650x

CrumpleBox V3:  Xeon X5680  -  Asus X58 Sabertooth  -  DDr3 16GB@1.33Ghz  -  Gigabyte 1660s -  TT smart RGB 700W  -  

Cooler Master Storm Trooper  -  120GB Samsung 850 Pro   -  LTT Edition Chromax NH-D15 ?

 

CrumpleBox 3 ROTF: I5-6400  -  MSI B150m Mortar  -  16GB 2133Mhz Vengeance Pro RGB  -  Strix 1070Ti - GTX 1070 FE  -  Adata 128GB SSD  -  Fractal Design Define C  -  Gammaxx 400V2  -  Cooler Master silent pro gold 1000W

CrumpleBox 2: i7-7820x - MSI X299 Raider - 32GB Thermaltake Toughram 3.6Ghz - 2x Sapphire Nitro Fury - 128GB PCie Adata SSD - O11 Dynamic - EVGA CLC 360 - Corsair RM1000X

 

Perhiperals:  Gateway 900p60 monitor  -  Dell 1024x768@75  -  Logi. G403 Carbon  -  Logi. G502  -  SteSer. Arctis 5  -  SteSer. Rival 110 - Corsair Strafe RGB MK.2

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Modern computers are a joke for privacy. Same goes for AMD with their PSP.

Link to comment
Share on other sites

Link to post
Share on other sites

spacer.png

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, PacketMan said:

Well, time to release the CSME and IME source code and ways to disable/remove it? Intel is fucked up with vulnerabilities, and they seem not to care.

not care they have bug bounty which they pay for this

 

how is this not caring in the first place?

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, kiranbl said:

This Flaw could defeat encryption and DRM protections. However, this is not true for latest 10 Gen processors as it is not vulnerable to Intel's CSME ( Converged Security Management Engine). 

I recommend to read this article : https://www.theverge.com/2020/3/6/21167782/intel-processor-flaw-root-of-trust-csme-security-vulnerability

I have multiple sources already, the verge is a few rungs lower than whats already linked, in my mind. The release from the security researchers themselves is the big one to read.

 

https://www.ptsecurity.com/ww-en/about/news/unfixable-vulnerability-in-intel-chipsets-threatens-users-and-content-rightsholders/

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, HalGameGuru said:

the verge is a few rungs lower than whats already linked, in my mind

tweezers

Bethesda PC:   R7 3700X  -  Asrock B550 Extreme 4  -  Corsair Dominator Platinum RGB 16GB@3.6GHz -  Zotac AMP Extreme 1080TI -  Samsung 860 Evo 256GB  -  WD Blue 2TB SSD -  500DX  -  Stock cooling lul  -  Rm650x

CrumpleBox V3:  Xeon X5680  -  Asus X58 Sabertooth  -  DDr3 16GB@1.33Ghz  -  Gigabyte 1660s -  TT smart RGB 700W  -  

Cooler Master Storm Trooper  -  120GB Samsung 850 Pro   -  LTT Edition Chromax NH-D15 ?

 

CrumpleBox 3 ROTF: I5-6400  -  MSI B150m Mortar  -  16GB 2133Mhz Vengeance Pro RGB  -  Strix 1070Ti - GTX 1070 FE  -  Adata 128GB SSD  -  Fractal Design Define C  -  Gammaxx 400V2  -  Cooler Master silent pro gold 1000W

CrumpleBox 2: i7-7820x - MSI X299 Raider - 32GB Thermaltake Toughram 3.6Ghz - 2x Sapphire Nitro Fury - 128GB PCie Adata SSD - O11 Dynamic - EVGA CLC 360 - Corsair RM1000X

 

Perhiperals:  Gateway 900p60 monitor  -  Dell 1024x768@75  -  Logi. G403 Carbon  -  Logi. G502  -  SteSer. Arctis 5  -  SteSer. Rival 110 - Corsair Strafe RGB MK.2

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

And intel is back to work, this time they have a nice little `feature` that lets you (or some else) run code on the cpu before the OS boots... even if you have secure boot enabled.

https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/

 

Quote

During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.

So this means that any `attached hardware` (that could include Thunderbolt devices since they share the PCIe bus) can compromise the boot prosses.

 

Quote

Crucially, the boot ROM is read-only: it cannot be patched. The IOMMU's reset defaults can't be changed either without replacing the silicon. So, Intel chipsets out in people's computers are stuck with the vulnerability.

There is no fix possible for existing systems.


 

Quote

"To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS)," explained Positive's Mark Ermolov.
 

"However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time.
 

"When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

 

 

The only intel systems released at the moment that are protected from this are Macs with T1 or T2 chips (these chips handle the pre-boot rather than the main cpu) in addition the disk encryption keys are not related to those within intels system. 

https://9to5mac.com/2020/03/06/intel-chip-flaw

Link to comment
Share on other sites

Link to post
Share on other sites

This does bring to light the benefit of have a secondary security chip (like the T1, T2 chips in macs) these handle the pre-boot (and start up before the main cpu) so that vulnerabilities like this cant affect these systems. In addition to the cryptography keys being kept of the main system chip.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, Koti said:

This is very worrying, especially coming from a company as big as Intel

What has their size got to do with this other than the basic law of averages?

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, mr moose said:

What has their size got to do with this other than the basic law of averages?

Or even that the large the company the more possible it is for things to slip through the cracks.

Link to comment
Share on other sites

Link to post
Share on other sites

they can force a bios update that cant be reverted?

 

had few mobos that couldnt revert back to older bios

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, hishnash said:

Or even that the large the company the more possible it is for things to slip through the cracks.

That's what the law of averages means.  The more there is of something the higher the probability for smaller conditions to be noticed/exist.  

 

EDIT: please note I said the higher the probability for things to be noticed/exist.  by this I mean the probability that they will happen does not change in relation to frequency (amount) but that our ability to see them becomes more probable.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, pas008 said:

they can force a bios update that cant be reverted?

 

had few mobos that couldnt revert back to older bios

CSME is in a ROM, not flash, so no, you can't fix the issue with a BIOS-update.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, HalGameGuru said:

If hackers have local or physical access to a machine

Then this whole "flaw" is a non-sequiter. If hackers have physical access to a machine there are all sorts of things that they can do that are logically impossible to defend against, let you side step any component, and are not considered exploits.

I mean, if they have physical access to the machine they can do literally anything they want to it.

 

Even for the given case, hijacking RAM, if you have physical access you can do that with an In-Circuit Emulator...

I really hope Intel doesn't lose any sleep over this, or give up performance to fix it, unless it can be exploited remotely.

ENCRYPTION IS NOT A CRIME

Link to comment
Share on other sites

Link to post
Share on other sites

Oh cool, glad I went AMD.

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, pas008 said:

physical exploit

 

eh, if they have physical access you are doomed anyways

 

25 minutes ago, straight_stewie said:

Then this whole "flaw" is a non-sequiter. If hackers have physical access to a machine there are all sorts of things that they can do that are logically impossible to defend against, let you side step any component, and are not considered exploits.

I mean, if they have physical access to the machine they can do literally anything they want to it.

 

Even for the given case, hijacking RAM, if you have physical access you can do that with an In-Circuit Emulator...

I really hope Intel doesn't lose any sleep over this, or give up performance to fix it, unless it can be exploited remotely.

At some point in supply chain there's physical access to hardware and that's what's so dangerous out these exploits. If a bad actor gets someone in the supply chain to plant malicious code into hardware before it reaches the end user that's a lot harder to mitigate against and all the locks and alarms in the world won't help you. That's why I still worry about attacks that need physical access, especially ones that can plant something that's persistent and low level like this.

Link to comment
Share on other sites

Link to post
Share on other sites

38 minutes ago, WereCatf said:

CSME is in a ROM, not flash, so no, you can't fix the issue with a BIOS-update.

stated from article

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates to address the vulnerability. Check the Intel website for the latest recommendations on mitigation of vulnerability CVE-2019-0090.

Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs. In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important.

 

so a irrevertible bios update can block it though? with this statement above still exists because of flashing back to previous bios?

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×