Researchers have uncovered a serious vulnerability (CVE-2019-0090) in Intel’s CSME, which is unfixable and allows compromise of the hardware too. Intel CSME is known as the ‘root of trust‘. The vulnerability specifically lies in the ROM of the Intel Converged Security and Management Engine (CSME) and weakens the security foundation of Intel processors.
Intel had released an advisory (INTEL-SA-00213) for this vulnerability in May 2019. The fixes then released handled only one exploitation vector which involved the use of the Integrated Sensors Hub (ISH). Positive Technologies mentions that there could be multiple other attack vectors for exploitation, which might need local or physical access to the system.
Let us take a look at the functionalities of CSME to better understand the impact and severity of this vulnerability.
Importance of Intel CSME
Intel CSME is the standalone low power Intel processor with dedicated hardware. It serves main platform roles such as security and manageability of the system. In modern platforms, CSME is responsible for the initial authentication of Intel-based systems. It loads and verifies all other firmware and interacts with CPU microcode to authenticate UEFI BIOS firmware using BootGuard. Intel CSME is also known to load and verify the crucial firmware related to the Power Management Controller which supplies power to Intel chipset components. Importantly, it forms the cryptographic basis for hardware security technologies such as DRM, fTPM, and Intel Identity Protection. Intel CSME also implements TPM software module which allows storing encryption keys without an additional TPM chip.
CVE-2019-0090 is a vulnerability that was discovered by Mark Ermolov of Positive Technologies. In a detailed description, he mentions that the vulnerability affects the hardware and the firmware of the Intel boot ROM. The errors in the firmware which are hard-coded in the Mask ROM of microprocessors and chipsets are impossible to fix. Additionally, a compromise of the hardware weakens the chain of trust for the platform as a whole.
Intel firmware implements EPID (Enhanced Privacy ID) which helps in identifying a computer unambiguously and anonymously and is useful in other cases such as protecting digital content, securing financial transactions, and performing IoT attestations, etc. The firmware also facilitates the storing of encryption keys with an implementation of the TPM software module.
Intel processors are so designed to handle code execution flaws in CSME firmware locally without affecting the root cryptographic key (Chipset Key). Any flaw in CSME firmware can be handled by changing encryption keys via the security version number (SVN) mechanism. And thus, Intel chipsets are protected from the compromise of EPID-based technologies. But, this flaw is capable of overriding Intel’s robust security mechanisms too.
The key point of failure: The boot ROM
As this vulnerability lies in the very early stages of the subsystem’s operation, attackers can gain access to the Chipset Key and generation of all other encryption keys. Within this set of keys is the Integrity Control Value Blob (ICVB), which can be used to forge any Intel CSME firmware modules bypassing the authentication checks. Such an action would be the equivalent of disclosure of platform-specific private key of Intel CSME firmware digital signature.
Researchers contemplate the existence of high-risk attack scenarios using this vulnerability. Attackers might find it challenging to extract the Chipset keys in the One-Time Programmable (OTP) memory, as they are protected with encryption. Also, an attacker who intends to steal this key would need to extract a hardware key that is used for encryption of the Chipset Key. This hardware key resides in Secure Key Storage (SKS).
However, the key is not platform specific and an entire generation of Intel chipsets use the same key. Using the early-stage vulnerability(CVE-2019-0090) in ROM, an attacker can hijack the hardware key generation mechanism before the SKS is locked, and gain access to the hardware key. The possible outcomes of such an attack could include forging of Hardware IDs, extraction of digital content, and decryption of data from encrypted hard disks.
- Intel® CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
- Intel® Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15
- Intel® Server Platform Services prior to version SPS_E3_05.00.04.027.0
The vulnerability allows an attacker to extract the Chipset Key and manipulate the hardware key and its process of generation. Successful exploitation could also allow the execution of arbitrary code with zero-level privileges in Intel CSME.
Intel has released firmware updates and provides the following security guidance for CVE-2019-0090:
- Downgrading Intel® Management Engine Firmware (Intel® ME FW), which is a physical attack, is a known issue affecting any Intel® CSME version before and including 11.x, Intel® TXE 3.x, 4.x, and Intel® SPS 3.x, 4.x.
- End users should maintain physical possession of their platform.
- Intel highly recommends that system manufacturers follow Intel’s requirement to complete the End of Manufacturing process and set manufacturing mode to disabled.
- Intel recommends that end users adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
Positive Technologies recommends disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs.
We recommend installing the security updates as soon as possible and following strong security practices in general.