Security researchers say that a bug in one of Intel’s CPU technologies that was patched last year is actually much worse than previously thought.
“Most Intel chipsets released in the last five years contain the vulnerability in question,” said Positive Technologies in a report published today.
Attacks are impossible to detect, and a firmware patch only partially fixes the problem.
To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said.
BUG IMPACTS INTEL CSME
The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).
The CSME is a security feature that’s included with all recent Intel CPUs. It is considered a “cryptographic basis” for all other Intel technologies and firmware running on Intel-based platforms.
According to Mark Ermolov, Lead Specialist of OS and Hardware Security at Positive Technologies, the CSME is one of the first systems that start running and is responsible for cryptographically verifying and authenticating all firmware loaded on Intel-based computers.
For example, the CSME is responsible for loading and
verifying UEFI BIOS firmware and the firmware for the PMC (Power Management
Controller), the component that manages a chipset’s power supply.
The CSME is also “the cryptographic basis” for other Intel technologies like Intel EPID (Enhanced Privacy ID), Intel Identity Protection, any DRM (Digital Rights Management) technologies, or firmware-based TPMs (Trusted Platform Modules).
In other words, the CSME is, basically, a “root of trust” for every other technology running on Intel chipsets.
By Catalin Cimpanu | March 5, 2020
