Yesterday, cybersecurity company Positive Technologies revealed a new security flaw affecting Intel CPUs released over the past five years (via Ars Technica). This new vulnerability has its roots in the ROM of the Intel Converged Security and Management Engine (CSME), which is a subsystem that verifies all firmware running on Intel-based PCs, and also plays a role in hardware security technologies such as DRM and Intel Identity Protection.
“This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms,” explained Positive Technologies. “The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
The report points out that this vulnerability can’t be fixed by firmware updates, and that it “sets the stage for arbitrary code execution with zero-level privileges in Intel CSME.” However, 10th gen Intel chips are not affected by the security flaw.
Intel apparently isn’t too worried about this new vulnerability that follows the much-talked-about “Meltdown” and “Spectre” security flaws revealed two years ago. In a statement shared with Ars Technica, an Intel spokesperson explained that an attacker would require physical access and “specialized hardware” to leverage this vulnerability. The company also said it has already released “mitigations,” despite the Positive Technologies researchers explaining that there’s no definitive fix.
“Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products,” company officials wrote in a statement. “Intel released mitigations and recommends keeping systems up-to-date. Additional guidance specific to CVE-2019-0090 can be found here.”
Positive Technologies said yesterday that more details about this new vulnerability will be published in white paper soon. In the meantime, we invite you to read their initial reveal here.