Last May, Intel released firmware patches for vulnerabilities affecting several hardware security features in its chipsets that are used for digital rights management, device attestation, firmware validation, safe storage of cryptographic keys, disk encryption and more. A team of security researchers now warns that one of those flaws is actually unpatchable and could lead to a complete compromise of the cryptographic chain of trust in Intel-based systems with potentially disastrous implications for technologies built on top of it.
"The scenario that Intel system architects, engineers and security specialists perhaps feared most is now a reality," researchers from security firm Positive Technologies said in a report released today. "A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms."
The unpatchable CSME flaw
When Positive Technologies found the vulnerability and reported it to Intel, it learned that it had already been reported by an external Intel partner. The chip vendor tracks the issue as CVE-2019-0090 with a CVSS risk score of 7.1 (High) and disclosed it in an advisory last year together with a dozen other vulnerabilities.
Intel describes the flaw as an insufficient access control vulnerability in the subsystem for Intel CSME versions 11.x; Intel CSME version 12.0.35; Intel TXE versions 3.x and 4.x; Intel Server Platform Services versions 3.x, 4.x and SPS_E3_05.00.04.027.0, which "may allow an unauthenticated user to potentially enable escalation of privilege via physical access."
To mitigate the issue, the company released firmware patches that are distributed through BIOS updates from system manufacturers, but according to Positive Technologies, the fix only closes one exploit vector. They believe that more attack methods exist and some don't require physical access.
More importantly, the flaw itself cannot be patched because it's located in the boot ROM of CSME, which is programmed during the manufacturing process and cannot be changed. The CSME firmware itself that resides in SPI flash can be updated, but the early-stage boot code where the bug is located and whose purpose is to load the firmware is burned into the chip and is permanent.
According to Mark Ermolov, lead specialist of OS and hardware security at Positive Technologies, because of its location, the flaw is similar to the Checkm8 boot ROM exploit for iOS devices that was revealed in September and is considered a permanent jailbreak -- the holy grail of iPhone jailbreak developers.
"The vulnerability discovered by Positive Technologies affects the Intel CSME boot ROM on all Intel chipsets and SoCs available today other than Ice Point (Generation 10)," the Positive Technologies researchers said. "The vulnerability allows extracting the Chipset Key and manipulating part of the hardware key and the process of its generation. However, currently it is not possible to obtain that key's hardware component (which is hard-coded in the SKS) directly. The vulnerability also sets the stage for arbitrary code execution with zero-level privileges in Intel CSME."
How the CSME vulnerability works
Intel CSME is the engine that powers most of Intel's hardware security technologies including BootGuard, which validates and authenticates the UEFI/BIOS firmware and Enhanced Privacy ID (EPID), an algorithm for the attestation of trusted systems that is used by digital rights management (DRM) technologies, IoT device identity and onboarding, hardware-backed two-factor authentication and financial transaction security via Intel Identity Protection. Intel's firmware TPM (fTPM), a Trusted Platform Module implemented in software that doesn't require a dedicated chip, also relies on CSME. TPMs are used for the secure storage of cryptographic keys, such as for hard drive encryption.
The problem behind CVE-2019-0090 is that in early stages of the boot process, the memory management unit leaves the SRAM (static memory) used by the early stages of the CSME firmware unprotected until the rest of the firmware is loaded from SPI. At this stage, the memory is susceptible to be written by devices that have direct memory access (DMA) to CSME memory and one of those devices is the Integrated Sensors Hub (ISH), which Intel has blocked with its firmware patch.
"We think there might be many ways to exploit this vulnerability in ROM," Ermolov tells CSO. "Some of them might require local access; others need physical access."
According to the researcher, there are several ways in which attackers could inject their code into ISH firmware while it's being loaded by exploiting other vulnerabilities in insecure UEFI and platform implementations by independent hardware vendors (IHVs). The goal is to bypass the restrictions added by Intel and in some cases the attackers would only require OS or UEFI access. On systems that don't have any such implementation problems and vulnerabilities -- Ermolov doubts they exist -- then physical access is required.
"Yes, the attack is difficult, but it’s possible," Ermolov says. "It doesn’t require very expensive equipment for something like EM fault injection and can be done at home and doesn’t require the use of special laboratories. The attack isn’t destructive for hardware. The fact that the attack has been performed can’t be detected by any means," he says.
Implications of the Intel CSME vulnerability
At the core, Intel CSME uses a root key called the Chipset Key that is unique for every device and is programmed during the manufacturing of the chip. This key is stored in one-time programmable memory and cannot be changed but is encrypted with another hardware key stored in Secure Key Storage (SKS) that is not system specific.
"A single [hardware] key is used for an entire generation of Intel chipsets," the Positive Technologies researchers said. "And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."
In addition, attackers can also exploit this vulnerability to install backdoors at the lowest levels of the platform, with the full privileges of the CSME, which would be very hard to detect. "An early-stage vulnerability in ROM enables control over reading of the Chipset Key and generation of all other encryption keys," the researchers said. "One of these keys is for the Integrity Control Value Blob (ICVB). With this key, attackers can forge the code of any Intel CSME firmware module in a way that authenticity checks cannot detect. This is functionally equivalent to a breach of the private key for the Intel CSME firmware digital signature but limited to a specific platform."
Mitigations for the CSME vulnerability
"Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an un-authorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products," Intel said in an emailed statement. "Intel released mitigations and recommends keeping systems up-to-date."
Intel has a support article with guidance for CVE-2019-0090 that was updated in February. In the update, the company warns that downgrading the Intel Management Engine (Intel ME) firmware is also a known issue that affects Intel CSME version before and including 11.x, Intel TXE 3.x and 4.x, and Intel SPS 3.x and 4.x. Since such an action requires physical access, the company advises users to maintain physical possession of their systems and to adopt security best practices by installing updates as soon as they become available and by taking the necessary steps to detect and block intrusions and exploitation attempts.
Ermolov advises users to stop using encryption for local storage devices that relies on CSME. For example, for Windows' full-disk encryption feature, BitLocker, he advises modifying the settings to use a password or USB token instead of Intel's Platform Trust Technology (PTT) to store credentials.
Users should contact their device manufacturer for microchip or BIOS updates that address the vulnerability, follow the mitigation advice provided by Intel and consider migrating to 10th generation Intel platforms, Ermolov says.