Intel CPUs are at risk of being exploited by hackers due to a vulnerability that is essentially unfixable, security researchers have warned.
Enterprise security solutions provider Positive Technologies posted on its website that it had identified a vulnerability – called CVE-2019-0090 – in Intel’s Converged Security and Management Engine (CSME), which is a security feature found in recent Intel CPUs. The CSME is one of the first systems that runs when a device is booted and is responsible for cryptographically verifying and authenticating all firmware loaded.
Originally, the CVE-2019-0090 vulnerability was considered a firmware bug, which allowed a malicious actor with physical access to the CPU to escalate privileges and execute code from the CSME by obtaining the Chipset Key. Intel attempted to fix this issue with a patch released in May 2019.
Mark Ermolov, a lead specialist of OS and hardware security at Positive Technologies, compared the Intel chip flaw to a similar error in the BootROM of Apple mobile platforms.
“Both vulnerabilities allow extracting users’ encrypted data. Here, attackers can obtain the key in many different ways. For example, they can extract it from a lost or stolen laptop in order to decrypt confidential data,” Ermolov explained in a blog post on Positive Technologies’ website.
However, Positive Technologies recently discovered that the bug can also be exploited through “local access,” such as via malware on a device, not necessarily through only physical access. The firm also noted that no amount of further updates can fix the vulnerability.
“Applying the patch for SA-00213 prevents the ISH (Integrated Sensors Hub) exploitation vector, but doesn’t fix the bug in CSME boot ROM,” Ermolov said in a statement to ZDNet.
Positive Technology researchers have recommended that users of Intel CPUs should disable the CSME-based encryption of data storage devices, or even migrate to tenth-generation or later Intel CPUs which do not have the issue.
