Researchers have uncovered a serious vulnerability (CVE-2019-0090) in Intel’s CSME, which is unfixable and allows compromise of the hardware too. Intel CSME is known as the ‘root of trust‘. The vulnerability specifically lies in the ROM of the Intel Converged Security and Management Engine (CSME) and weakens the security foundation of Intel processors. Vulnerability Management Tool can be of assistance to prevent these attacks.
Intel had released an advisory (INTEL-SA-00213) for this vulnerability in May 2019. The fixes then released handled only one exploitation vector which involved the use of the Integrated Sensors Hub (ISH). Positive Technologies mentions that there could be multiple other attack vectors for exploitation, which might need local or physical access to the system. Vulnerability Management System can resolve these issues.
Let us take a look at the functionalities of CSME better to understand the impact and severity of this vulnerability.
Importance of Intel CSME
Credits: Black Hat USA 2019
Intel CSME is the standalone low power Intel processor with dedicated hardware. It serves main platform roles such as security and manageability of the system. In modern platforms, CSME is responsible for the initial authentication of Intel-based systems. It loads and verifies all other firmware and interacts with CPU microcode to authenticate UEFI BIOS firmware using BootGuard. Intel CSME is also known to load and verify the crucial firmware related to the Power Management Controller which supplies power to Intel chipset components. Importantly, it forms the cryptographic basis for hardware security technologies such as DRM, fTPM, and Intel Identity Protection. Intel CSME also implements TPM software module which allows storing encryption keys without an additional TPM chip.
CVE-2019-0090 is a vulnerability that Mark Ermolov of Positive Technologies discovered. In a detailed description, he mentions that the vulnerability affects the hardware and the firmware of the Intel boot ROM. The errors in the firmware which are hard-coded in the Mask ROM of microprocessors and chipsets are impossible to fix. Additionally, a compromise of the hardware weakens the chain of trust for the platform as a whole.
Intel firmware implements EPID (Enhanced Privacy ID) which helps in identifying a computer unambiguously and anonymously and is useful in other cases such as protecting digital content, securing financial transactions, and performing IoT attestations, etc. The firmware also facilitates the storing of encryption keys with an implementation of the TPM software module.
Intel processors are so designed to handle code execution flaws in CSME firmware locally without affecting the root cryptographic key (Chipset Key). Any flaw in CSME firmware is handle by changing encryption keys via the security version number (SVN) mechanism. And thus, Intel chipsets are protecting from the compromise of EPID-base technologies. But, this flaw is capable of overriding Intel’s robust security mechanisms too.
The key point of failure: The boot ROM
As this vulnerability lies in the very early stages of the subsystem’s operation, attackers can gain access to the Chipset Key and the generation of all other encryption keys. Within this set of keys is the Integrity Control Value Blob (ICVB), which can be of use to forge any Intel CSME firmware modules bypassing the authentication checks. Such an action would be the equivalent of disclosure of platform-specific private keys of Intel CSME firmware digital signature.
Researchers contemplate the existence of high-risk attack scenarios using this vulnerability. Attackers might find extracting the Chipset keys in the One-Time Programmable (OTP) memory challenging, as they are protected with encryption. Also, an attacker who intends to steal this key needs to extract a hardware key that is in use for the encryption of the Chipset Key. This hardware key resides in Secure Key Storage (SKS).
However, the key is not platform specific and an entire generation of Intel chipsets use the same key. Using the early-stage vulnerability(CVE-2019-0090) in ROM, an attacker can hijack the hardware key generation mechanism before the SKS is locked, and gain access to the hardware key. The possible outcomes of such an attack could include forging of Hardware IDs, extraction of digital content, and decryption of data from encrypted hard disks.
Affected Platforms
- Intel® CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
- Intel® Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15
- Intel® Server Platform Services prior to version SPS_E3_05.00.04.027.0
Impact
The vulnerability allows an attacker to extract the Chipset Key and manipulate the hardware key and its process of generation. Successful exploitation could also allow the execution of arbitrary code with zero-level privileges in Intel CSME.
Solution for CVE-2019-0090
Intel has released firmware updates and provides the following security guidance for CVE-2019-0090:
- Downgrading Intel® Management Engine Firmware (Intel® ME FW), which is a physical attack, is a known issue affecting any Intel® CSME version before and including 11.x, Intel® TXE 3.x, 4.x, and Intel® SPS 3.x, 4.x.
- End users should maintain physical possession of their platform.
- Intel highly recommends that system manufacturers follow Intel’s requirement to complete the End of Manufacturing process and set manufacturing mode to disabled.
- Intel recommends that end users adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
Positive Technologies recommends disabling Intel CSME-based encryption of data storage. Devices or considering migration to tenth-generation or later Intel CPUs.
We recommend installing the security updates as soon as possible and following strong security practices in general.