Intel is in hot waters again as security researchers have identified another critical flaw in Intel CPUs. The latest flaw is just another blow to Intel as the manufacturer struggles to keep up with the market and gain the trust of the users. Unfortunately for Intel, the latest flaw is relatively easy to exploit and can’t be fixed unless the user replaces the CPU itself.
The flaw was identified by security researchers at Positive Technologies who did a pretty good job of explaining the flaw. Essentially the flaw lies in the Converged Security and Management Engine (CSME) and is impossible to fix with a patch or a firmware update. The flaw lies in all the Intel chipsets released in the last five years but doesn’t impact the latest 10th gen CPUs.
The vulnerability discovered by Positive Technologies affects the Intel CSME boot ROM on all Intel chipsets and SoCs available today other than Ice Point (Generation 10). The vulnerability allows extracting the Chipset Key and manipulating part of the hardware key and the process of its generation. However, currently it is not possible to obtain that key’s hardware component (which is hard-coded in the SKS) directly. The vulnerability also sets the stage for arbitrary code execution with zero-level privileges in Intel CSME.
– Positive Technologies
The CSME is a “Root of Trust” for the rest of the security and because the flaw lies in the bootROM of CSME it cannot be changed after the CPU is manufactured. The flaw will leave the system open to both local and physical attacks and the only way to protect yourself is to upgrade to the 10th gen processors.
Positive Technologies also noted that the next step for bad actors would be to extract the hardware key, which encrypts the Chipset Key, or a single key used across the entire generation of Intel CPUs and “When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted.”
Positive Technologies will be releasing a full-length white paper soon which will provide more information on the vulnerability. Intel, in the meantime, has tried to downplay the severity of the flaw and has assured users that the bug can be exploited only via physical access to the device. The company has released a security bulletin which has some recommendations on how to mitigate the problem.