Image: Intel

It has been a rough patch of years for Intel since 2017 when it comes to vulnerabilities or exploits. Unfortunately that does not seem to be changing with this story. Researchers over at Positive Technologies have discovered a troublesome vulnerability. This particular one is not something that can be fixed via a simple firmware patch. Positive Technologies is preparing a full-length white paper with all the technical details but there is plenty to digest in what they have already posted on their blog page.

It starts at the hardware level of the boot ROM for the Intel Converged Security and Management Engine, or CSME.

From Positive Technologies:

“CSME is responsible for initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms. For instance, Intel CSME interacts with CPU microcode to authenticate UEFI BIOS firmware using BootGuard. Intel CSME also loads and verifies the firmware of the Power Management Controller responsible for supplying power to Intel chipset components.”

If that does not make some people nervous there is more to this.

“Even more importantly, Intel CSME is the cryptographic basis for hardware security technologies developed by Intel and used everywhere, such as DRM, fTPM, and Intel Identity Protection.”

PT did reach out to Intel regarding this. Intel responded that they are aware of the vulnerability, now named CVE-2019-0090, and exploring solutions. Since this type of vulnerability cannot be fixed via a firmware patch they are exploring a vector based strategy. The first patch will address one particular attack vector with the Integrated Sensors Hub, or ISH. It is all but guaranteed that as more potential attack vectors are identified more patches will follow. TPU has noted that all but the latest 10th gen CPU’s, Ice Point-based chipsets & SoCs are affected by this. A significant point, though, is that physical access is needed to take advantage this new exploit.

In recent years Intel has had their hands full with speculative execution attacks. They have had levels of success with micro-code updates to address Spectre and other similar exploits. More recently, however, another one was discovered in the beginning of 2020. This one, CVE-2020-0549, has been nicknamed Cacheout.

Peter Brosdahl

As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my...

Join the Conversation

7 Comments

  1. Makes me happier every day that I went with an AMD build for my refresh.

    Though until this gets addressed imagine if your CIO had their laptop stolen.. or a lead geologist for an oil company. Or someone in a three letter organization of the government… and so on. Escalated access to everything on the laptop…

    20+ years ago when I was working for an oil company it was estimated the black market value of a geologists laptop was in excess of 2 million dollars.

  2. Yet it reads more like a backdoor and less of a mistake.

    I agree. Now all of those criminals can find the method to reset the Intel based laptops and reset them without removing drives. Works for soldered on nvme drives for macs too I bet.

  3. I agree. Now all of those criminals can find the method to reset the Intel based laptops and reset them without removing drives. Works for soldered on nvme drives for macs too I bet.

    I admit, hadn’t thought of that. Bet Apple won’t be too happy to realize it either if that ends up being true.

  4. If physical access is needed, this is moot.

    If someone wishing to do harm has physical access to your machine, all is already lost.

  5. If physical access is needed, this is moot.

    If someone wishing to do harm has physical access to your machine, all is already lost.

    Actually that is inaccurate. This is completely why you have encryption on drives. Now if this vulnerability lets you bypass that or circumvent disk encryption then this is a HUGE deal. That opens up the vector of data being stolen to a MUCH LARGER audience.

    Want to be a rich criminal in a few days. Buy this new method to bypass encryption. Then go to the airport buy a cheap ticket and see if you can get away with an executives business laptop. Boom money maid if you pull it off because the threat of loosing that data when it is still valuable is TOO HIGH to ignore.

    For instance imagine if your COO had their laoptop stolen with data on it for how your company does business and what it’s plans are for the next 3 fiscal years? Or as my example above a lead geologist with plans on where your company is looking to drill for oil or information on actual impact of fracking as an example. That data can be worth MILLIONS if it can be accessed and acted upon within a short period of time.

    And if this vulnerabiltiy… I know if if if… but you get the idea it’s a lot easier to do this with the level of access this gives.

  6. And if this vulnerabiltiy… I know if if if… but you get the idea it’s a lot easier to do this with the level of access this gives.

    Yeah but that’s still ~miles~ away from a vulnerability that can get exploited via a drive by javascript or clickbait email or something.

    Your examples are legit, I don’t mean to discount that. But physical access is much easier to control than online access, and it’s much easier to catch a guy who’s just ripped off your luggage than it is to find a guy who clicked on a Viagra ad in Accounting and that infected every PC in the building.

Leave a comment