Researchers at Positive Technologies have found a major security flaw [CVE-2019-0090] in the Intel Converged Security and Management Engine (CSME) which cannot completely be fixed without a hardware replacement. The bug can severely damage the trust and reputation Intel has built over the years. And because the vulnerability allows a compromise at the hardware level, a mere firmware patch will not solve the problem.
The problem lies within Intel’s hardware and CSME firmware and occurs at the very early stages in its boot ROM. Intel CSME is a security feature in which handles the initial authentication in Intel CPUs. It also loads and verifies some of the other firmware that is responsible for supplying power to Intel chipset components, among several other processes.
How serious is the Intel CSME vulnerability?
In this case, as researchers describe, the culprit in question is Intel’s boot ROM. Researchers have discovered an early-stage vulnerability in Intel’s Boot ROM. First and foremost, this vulnerability is nearly impossible to detect.
And if exploited, attackers could recover Chipset Key and generation other encryption keys and disable authenticity checks. This could, in turn, result in a breach of the private key for the Intel CSME firmware digital signature.
Positive Technologies expert Mark Ermolov has this to say:
“To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS). However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets.”
If the hardware is not replaced, attackers could forge hardware IDs, gain access to digital content, and decrypt data from encrypted hard disks. The vulnerability affects all Intel CPUs. However, it doesn’t affect Intel’s 10th generation CPUs, ZDNet reports.
Intel is already aware of the bug and is trying to block all possible exploitation vectors. However, the company has acknowledged the vulnerability in the ROM of existing hardware cannot be fixed.
The previously patched bug only partially fixes the problem. However, researchers warn that hackers might come up with more ways to exploit this vulnerability in the future.