Unfixable security flaw found in Intel CPU CSME

Posted on Friday, March 06 2020 @ 11:57 CET by Thomas De Maesschalck
INTC logo
Security researchers from Positive Technologies discovered an unfixable flaw in the Converged Security and Manageability Engine (CSME) of Intel's processor. CSME is basically a CPU inside your CPU, it's sort of a blackbox that's in charge of the chip's security.

Unfortunately, the hardware and the firmware of the boot ROM of CSME has a security vulnerability and it can't be patched because ROM is read-only. The flaw is present in all Intel chips currently available, with exception of the 10th Gen "Ice Lake" parts. The implication here is that attackers may be able to forge hardware IDs, extract digital content, and decrypt data from encrypted HDD.

Exploitation requires local, if not physical, access to the machine.
One of the first things it does is set up memory protections on its own built-in RAM so that other hardware and software can't interfere with it. However, these protections are disabled by default, thus there is a tiny timing gap between a system turning on and the CSME executing the code in its boot ROM that installs those protections, which are in the form of input-output memory-management unit (IOMMU) data structures called page tables.

During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.
More details at The Register.

Loading Comments