Yesterday, cybersecurity firm Positive Technologies revealed a brand new safety flaw affecting Intel CPUs launched over the previous 5 years (through Ars Technica). This new vulnerability has its roots within the ROM of the Intel Converged Safety and Administration Engine (CSME), which is a subsystem that verifies all firmware operating on Intel-based PCs, and in addition performs a task in hardware safety applied sciences comparable to DRM and Intel Id Safety.
“This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms,” defined Optimistic Applied sciences. “The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
The report factors out that this vulnerability can’t be fastened by firmware updates, and that it “sets the stage for arbitrary code execution with zero-level privileges in Intel CSME.” Nevertheless, 10th gen Intel chips usually are not affected by the safety flaw.
Intel apparently isn’t too nervous about this new vulnerability that follows the much-talked-about “Meltdown” and “Spectre” security flaws revealed two years in the past. In an announcement shared with Ars Technica, an Intel spokesperson defined that an attacker would require bodily entry and “specialized hardware” to leverage this vulnerability. The corporate additionally mentioned it has already launched “mitigations,” regardless of the Optimistic Applied sciences researchers explaining that there’s no definitive repair.
“Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products,” firm officers wrote in an announcement. “Intel launched mitigations and recommends holding methods up-to-date. Further steering particular to CVE-2019-0090 might be discovered here.”
Optimistic Applied sciences mentioned yesterday that extra particulars about this new vulnerability shall be revealed in white paper quickly. Within the meantime, we invite you to learn their preliminary reveal here.