"Unfixable" Security flaw found in Intel CPUs

[WereCatf]

4 minutes ago, pas008 said:

so a irrevertible bios update can block it though? with this statement above still exists because of flashing back to previous bios?

No, like I said. CSME is in a ROM, there is no way of updating it.

[pas008]

1 hour ago, WereCatf said:

No, like I said. CSME is in a ROM, there is no way of updating it.

Of course

But bios can block it hence the quote on updating bios or disabling functions and also the statement on reverting bios to allow this attack

 

 

[NumLock21]

10 hours ago, HalGameGuru said:

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates

Pffff, dream on, bios update.

Ain't going to happen.

 

Anyway I maybe wrong on this, but isn't AMT part of Intel vPro? I think it's one of the components for vPro to work. I don't have vPro, my board doesn't support it,

[leadeater]

1 hour ago, WereCatf said:

No, like I said. CSME is in a ROM, there is no way of updating it.

I'm not too sure this information is correct, while the usage of the wording Boot ROM is used and references to a similar Apple bug was made Intel CSME is a collection term for multiple different things. It is for us consumers Intel Management Engine (ME) and Trusted Execution Engine (TXE) that are of relevance and these can be firmware updated, are not stored on ROM, and have had previous vulnerabilities (discovered by this same group) which were mitigated by firmware updates or using dummy firmware that disabled ME pretty much altogether.

 

If it's not possible to update it then how is this possible?

 

I would surmise that while Intel ME is it's own processor, ram and boot ROM that the boot ROM itself is stored in the ME firmware on what is on flash as Intel states.

Quote

The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).

 

The SPI flash is write protected, but doesn't mean it cannot be changed/updated. Few memory/flash chips/areas/devices are actually ROMs now days.

 

There is likely a bit more nuance going on here and there may be some cross hardware dependencies and checks so it may not be possible to update the boot ROM or maybe it is, I would advise waiting and seeing. This may be a design issue not an inability to update firmware because it's a ROM issue, 

[leadeater]

7 hours ago, HalGameGuru said:

the verge is a few rungs lower than whats already linked, in my mind.

I'm sure they have fully inspected this issue with the assistance for expert tools like tweezers.

[straight_stewie]

2 hours ago, Bitter said:

At some point in supply chain there's physical access to hardware and that's what's so dangerous out these exploits. If a bad actor gets someone in the supply chain to plant malicious code into hardware before it reaches the end user that's a lot harder to mitigate against and all the locks and alarms in the world won't help you. That's why I still worry about attacks that need physical access, especially ones that can plant something that's persistent and low level like this.

Well that's a good enough point. But I'd like to argue that even then it's probably, but not definitely, a non-sequiter.

 

All of this is a moot point once we get to the kind of actors that you are talking about. The type of actors that you are talking about are three things:

• Nation States
• Guru Teams
• Resourceful

At the level of sophistication that you are talking about there's not a whole lot that can be done to prevent the threat actors from getting what they want, outside of good 'ol Blue Team Billie and his bowl of Alphabet Soup that is.

Once we start talking about boots on the ground, the whole game shifts towards supply line personnel security and vetting, and I'm willing to bet that there's not a chip manufacturer in the world with personnel vetting good enough to uncover what a world superpower supported clandestine operation can hide.

I say that because every single publicized successful attack of the scope and sophistication to which you are referring (at least that I've heard of) was attributed to a threat actor widely believed to be supported by a nation state. This is especially true given the alleged difficulty and narrow time frame in which to carry out this exploit.

 

I'm not arguing against fixing the flaw, especially if it costs no performance and causes no price increases, in new silicon. I just don't think that it's worth losing sleep over (well, that's a lie, I've lost alot of sleep over this type of threat actor) or risking damage to the manufacturer or end consumer.

 

Now if we are worried about a machine already in the hands of the end consumer being compromised by this, I would argue that it's definitely a non-sequiter. If the actor has physical access to the final consumers machine, something else has gone wrong and they could have done any number of things that permanently render the machine compromised. The machine must not ever be used again, except possibly by a skilled researcher in a clean environment for the purpose of conducting research.

 

Of course, the assumption we are making here is that the flaw does indeed require physical access. If this can be exploited remotely, then it's a massive issue which must be solved quickly and completely.

[leadeater]

7 hours ago, GrockleTD said:

tweezers

*flips table* Oh come on, I should have looked literally one post down. Welp, guess I'm a joke stealer now.

[Bitter]

21 minutes ago, straight_stewie said:

Well that's a good enough point. But I'd like to argue that even then it's probably, but not definitely, a non-sequiter.

 

All of this is a moot point once we get to the kind of actors that you are talking about. The type of actors that you are talking about are three things:

• Nation States
• Guru Teams
• Resourceful

At the level of sophistication that you are talking about there's not a whole lot that can be done to prevent the threat actors from getting what they want, outside of good 'ol Blue Team Billie and his bowl of Alphabet Soup that is.

Once we start talking about boots on the ground, the whole game shifts towards supply line personnel security and vetting, and I'm willing to bet that there's not a chip manufacturer in the world with personnel vetting good enough to uncover what a world superpower supported clandestine operation can hide.

I say that because every single publicized successful attack of the scope and sophistication to which you are referring (at least that I've heard of) was attributed to a threat actor widely believed to be supported by a nation state. This is especially true given the alleged difficulty and narrow time frame in which to carry out this exploit.

 

I'm not arguing against fixing the flaw, especially if it costs no performance and causes no price increases, in new silicon. I just don't think that it's worth losing sleep over (well, that's a lie, I've lost alot of sleep over this type of threat actor) or risking damage to the manufacturer or end consumer.

 

Now if we are worried about a machine already in the hands of the end consumer being compromised by this, I would argue that it's definitely a non-sequiter. If the actor has physical access to the final consumers machine, something else has gone wrong and they could have done any number of things that permanently render the machine compromised. The machine must not ever be used again, except possibly by a skilled researcher in a clean environment for the purpose of conducting research.

 

Of course, the assumption we are making here is that the flaw does indeed require physical access. If this can be exploited remotely, then it's a massive issue which must be solved quickly and completely.

It's the undetectable part that concerns me, how do you know if it's been tampered if you can't detect it?

[GrockleTD]

33 minutes ago, leadeater said:

*flips table* Oh come on, I should have looked literally one post down. Welp, guess I'm a joke stealer now.

*laugh track

[Syaoran]

AMD right now

Spoiler

 

[HalGameGuru]

I was excited to see my post headlining WAN show only to hear my name was incorrectly transcribed

[HalGameGuru]

My main concern with this flaw was the supply chain angle. being alone in the room with such a machine at any point in its life compromises it for the rest of its life. thru all the different clients and locations it services

[PianoPlayer88Key]

Looks like it affects Intel CPUs in about the last 5 years ... so I wonder if my i7-6700K in my laptop might be affected? (I bought the CPU in November 2016.)  Also hoping the i7-4790K in my desktop (bought January 2015) might be old enough to have dodged a bullet?

 

 

 

Okay, so I'm pretty sure Intel won't be doing this, but we can dream ... it'd be nice if they could....

"Today we are proud to announce the new 11th-generation" (to give them a little extra time to patch, since I think 10th-gen LGA1xxx is pretty close?) "Rocket Lake Intel Core processors for mainstream desktop LGA1200 socket.  Starting with our flagship Core i9-11900K, on the 10nm process node, it has 16 cores, 32 threads" ... "available" (a week later) "for $349." ... "We know many of our CPUs over the last several years have had some security vulnerabilities.  We have patched those for our 11th-generation processors.  Also, for those of you with older systems, we are making an unprecedented move - we are also releasing variants of Rocket Lake for some of our older sockets.  In addition to the i9-11900K for LGA1200, there will also be the i9-11899K for LGA1151 300 series, i9-11898K for LGA1151 100 series, i9-11897K for LGA1150, i9-11896K for LGA1155, i9-11895K for LGA1156, i9-11894K for LGA775, i9-11893K for Socket 478, i9-11892K for Socket 370, i9-11891K for Slot 1, i9-11890K for Socket 7, and so on."  (Or, anything before LGA775 (which I think was the first socket to have CPUs with a TDP of ~130W) would only have lower tier CPUs, like non-K or even -T, -U or -Y, and maybe only like i5 or i3 or even Celeron for the oldest sockets back to like the 386 or 486, or whichever was the first to have a vulnerability.)  "We will note that some of those older sockets have long since been discontinued, and not many people will be using them anymore, so anything before LGA775 will be available only by special order."

 

Yeah, I know that's not gonna happen.

[straight_stewie]

7 hours ago, Bitter said:

It's the undetectable part that concerns me, how do you know if it's been tampered if you can't detect it?

Who's to say that there isn't a threat actor that's currently modifying the firmware in all hard drives so that it contains an undetectable payload delivery application? This might be happening, we know that EquationGroup had the ability to reprogram harddrive firmware from music CDs inserted into already delivered machines: This application is widely believed to be IRATEMONK .

 

Who's to say that a threat actor hasn't modified the BIOS or UEFI ROMS so that they contain an undetectable payload delivery application? We know that this is happening, one version is called DEITYBOUNCE. There is another application which does the same thing, from REGIN, called IRONCHEF. IRONCHEF is the more advanced of the two.

 

Who's to say that a threat actor hasn't modified PCI(e) bus controllers so that they contain an undetectable and persistent payload delivery application? We know this is happening too, it's called GINSU.

Those are just the operations that the NSA is running (might as well say it, I already listed stuff from the ANT catalog) and that we know about. Who knows what operations other threat actors are running? Who knows what operations we don't know about?

And this is my point: This kind of actor doesn't need this flaw. They've already gained the ability to compromise any machine they want through firmware programming phase hijacking. And if you can do that, then what's the difference about this? You can run whatever code you want, at whatever level of machine capability you want, including over any OS or no OS without prior knowledge of whatever other software is being installed and run, and it's completely undetectable because if they can hijack the firmware programming phase, they can hijack the QC phase that tests to make sure the firmware was programmed correctly, which is the only option for detecting this stuff.

 

I mean, once you even mention that any given security flaw is only accessible to advanced persistent threat actors, then it's a moot point to bother fixing it unless we are going to go all in and find and fix everything, which either can't or won't be done, not least because these actors have government support and if you try to prevent all of this stuff from working, they will start doing things like suing the piss out of you or otherwise damaging your business or you personally until you cooperate (and that's if they are nice enough to not just start wrongly jailing or even killing people over it).

 

So, like I said in my previous reply: This flaw is not worth losing any sleep over if it's only useful when exploited in the production chain. And if that's the case, I would say that Intel should only bother fixing it if the fix comes with no significant downsides such as extra cost, lower performance, or lower yields.

[hishnash]

19 hours ago, straight_stewie said:

Then this whole "flaw" is a non-sequiter. If hackers have physical access to a machine there are all sorts of things that they can do that are logically impossible to defend against, let you side step any component, and are not considered exploits.

I mean, if they have physical access to the machine they can do literally anything they want to it.

 

Even for the given case, hijacking RAM, if you have physical access you can do that with an In-Circuit Emulator...

I really hope Intel doesn't lose any sleep over this, or give up performance to fix it, unless it can be exploited remotely.

physical access = replacing your USBC/thunderbolt charger. 

[hishnash]

16 hours ago, leadeater said:

I'm not too sure this information is correct, while the usage of the wording Boot ROM is used and references to a similar Apple bug was made Intel CSME is a collection term for multiple different things. It is for us consumers Intel Management Engine (ME) and Trusted Execution Engine (TXE) that are of relevance and these can be firmware updated, are not stored on ROM, and have had previous vulnerabilities (discovered by this same group) which were mitigated by firmware updates or using dummy firmware that disabled ME pretty much altogether.

 

If it's not possible to update it then how is this possible?

 

I would surmise that while Intel ME is it's own processor, ram and boot ROM that the boot ROM itself is stored in the ME firmware on what is on flash as Intel states.

 

The SPI flash is write protected, but doesn't mean it cannot be changed/updated. Few memory/flash chips/areas/devices are actually ROMs now days.

 

There is likely a bit more nuance going on here and there may be some cross hardware dependencies and checks so it may not be possible to update the boot ROM or maybe it is, I would advise waiting and seeing. This may be a design issue not an inability to update firmware because it's a ROM issue, 

Apple have a trick (for mac that use the T2, T1 chip) since this chip starts before the main cpu and provides the boot rom to the main cpu (aka the main cpu does not load its own boot rom) apple are able to patch these on their systems.

[Nowak]

Could Intel not have a severe security vulnerability for FIVE MINUTES

[Windows7ge]

I'm just amused by how as Intel fixes these vulnerabilities their chips keep taking little performance hits. Meanwhile AMD is starting to make comparably powerful chips at lower price points.

 

It's almost as if Intel gave up security for performance just to stay ahead of the competition all this time. *speculation ensues*

[leadeater]

1 hour ago, hishnash said:

Apple have a trick (for mac that use the T2, T1 chip) since this chip starts before the main cpu and provides the boot rom to the main cpu (aka the main cpu does not load its own boot rom) apple are able to patch these on their systems.

And from what Intel says they can patch theirs too, Intel management Engine has gotten many firmware patches and the ME does the exact same thing, it boots first. It's why even though the ME is known to be a big potential security hole you cannot just disable it as the computer would be incapable of turning on without it. The striped down ME firmware that Dell/HP etc offer don't fully disable it, that's impossible, they just remove all the additional management functions (especially the remote ones).

[straight_stewie]

1 hour ago, hishnash said:

physical access = replacing your USBC/thunderbolt charger. 

What? Physical access means replacing everything that could have been tampered with.

 

1 hour ago, hishnash said:

Apple have a trick (for mac that use the T2, T1 chip) since this chip starts before the main cpu and provides the boot rom to the main cpu (aka the main cpu does not load its own boot rom) apple are able to patch these on their systems.

Just to be clear about the T2 chip:

https://www.blackhat.com/us-19/briefings/schedule/index.html#inside-the-apple-t-15686

 

Turns out it's significantly more vulnerable than the exploit we are talking about here, including remote vulnerabilities.

[leadeater]

1 minute ago, straight_stewie said:

Turns out it's significantly more vulnerable than the exploit we are talking about here, including remote vulnerabilities.

That's because everything can have a flaw and the more important something is, the security gatekeeper to the entire system, the juicier the target it is. Look how the Death Star was destroyed 

[mr moose]

How many lenovo's had superfish?  if a company wants to exploit a PC they already can, this doesn't suddenly make it easier for them.  At best it means they can hide it for a little bit longer until someone works out how to detect it.