'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

Although exploitation is like shooting a lone fish in a tiny barrel 1,000 miles away

An image of a secured computer chip

A slit in Intel's security – a tiny window of opportunity – has been discovered, and it's claimed the momentary weakness could be one day exploited to wreak "utter chaos."

It is a fascinating vulnerability, though non-trivial to abuse in a practical sense. It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. The problem revolves around cryptographic keys that, if obtained, can be used to break the root of trust in a system.

Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine (CSME). We've written about this a lot: it's a miniature computer within your computer. It has its own CPU, its own RAM, its own code in a boot ROM, and access to the rest of the machine.

More recently, the CSME's CPU core is 486-based, and its software is derived from the free microkernel operating system MINIX. You can find a deep dive into the technology behind it all, sometimes known as the Minute IA System Agent, here [PDF] by Peter Bosch.

Like a digital janitor, the CSME works behind the scenes, below the operating system, hypervisor, and firmware, performing lots of crucial low-level tasks, such as bringing up the computer, controlling power levels, starting the main processor chips, verifying and booting the motherboard firmware, and providing cryptographic functions. The engine is the first thing to run when a machine is switched on.

The exploit

One of the first things it does is set up memory protections on its own built-in RAM so that other hardware and software can't interfere with it. However, these protections are disabled by default, thus there is a tiny timing gap between a system turning on and the CSME executing the code in its boot ROM that installs those protections, which are in the form of input-output memory-management unit (IOMMU) data structures called page tables.

During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.

It's like a sniper taking a shot at a sliver of a target as it darts past small cracks in a wall. The DMA write race can be attempted when the machine is switched on, or wakes up from sleep, or otherwise when the CSME goes through a reset, which resets the IOMMU protections. You'll need local, if not physical, access to a box to exploit this.

Crucially, the boot ROM is read-only: it cannot be patched. The IOMMU's reset defaults can't be changed either without replacing the silicon. So, Intel chipsets out in people's computers are stuck with the vulnerability.

Who found it?

The weakness was spotted and reported to Intel by Positive Technologies, an infosec outfit that has previously prodded and poked Chipzilla's Management Engine. Although Positive announced its findings today, it is withholding the full technical details until a whitepaper about it all is ready. In a summary advisory, seen by The Register earlier this week, the team described the issue thus:

1. The vulnerability is present in both hardware and the firmware of the boot ROM. Most of the IOMMU mechanisms of MISA (Minute IA System Agent) providing access to SRAM (static memory) of Intel CSME for external DMA agents are disabled by default. We discovered this mistake by simply reading the documentation, as unimpressive as that may sound.

2. Intel CSME firmware in the boot ROM first initializes the page directory and starts page translation. IOMMU activates only later. Therefore, there is a period when SRAM is susceptible to external DMA writes (from DMA to CSME, not to the processor main memory), and initialized page tables for Intel CSME are already in the SRAM.

3. MISA IOMMU parameters are reset when Intel CSME is reset. After Intel CSME is reset, it again starts execution with the boot ROM.

Therefore, any platform device capable of performing DMA to Intel CSME static memory and resetting Intel CSME (or simply waiting for Intel CSME to come out of sleep mode) can modify system tables for Intel CSME pages, thereby seizing execution flow.

Intel attempted to mitigate the hole, designated CVE-2019-0090, last year with a software patch that prevented the chipset's Integrated Sensor Hub from attacking the CSME, though Positive today reckons there are other ways in. The team also said pretty much all Intel chip families available today, prior to tenth-generation processor parts, are vulnerable.

What's the impact?

The CSME provides, among other things, something called Enhanced Privacy ID, or EPID. This is used for things like providing anti-piracy DRM protections, and Internet-of-Things attestation. The engine also provides TPM functions, which allow applications and operating system software to securely store and manage digital keys for things like file-system encryption. At the heart of this cryptography is a Chipset Key that is encrypted by another key baked into the silicon, and you can't do too much damage, it seems, until you can decrypt the Chipset Key.

If someone manages to extract that hardware key, though, they can unlock the Chipset Key, and, with code execution within the CSME, they can undo Intel's root of trust on large swathes of products at once, we're told. Anything relying on the CSME, such as encryption and copy protection systems, can be subverted or broken, or the management engine could be turned on the user to silently spy on them.

"To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS)," explained Positive's Mark Ermolov.

"However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time.

"When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

Intel says folks should install the firmware-level mitigations, "maintain physical possession of their platform," and "adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations." ®

Sponsored: Webcast: Why you need managed detection and response

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020