Researchers Uncover New Vulnerabilities In Intel, AMD Processors
'It requires a motivated and resourced attacker with at least (non-trivially obtained) local access — if not physical access — which considerably reduces the probability of widespread exploitation,' one security researcher says of the Intel processor vulnerability.
Security researchers have uncovered new vulnerabilities in processors made by Intel and AMD, but both vendors said the attack surface for the new flaws are limited if precautions are taken.
The first vulnerability, reported last week by IT security research firm Positive Technologies, involves a flaw in Intel's Converged Security Management Engine, also known as CSME, that is present in just about every processor that company has made in the last five years.
[Related: Intel To Expand SGX Support For Xeon, Extend Hardware Security Capabilities]
The flaw in Intel's CSME makes it possible for attackers to compromise encryption keys and steal data, according to the firm, which reported the vulnerability to Intel before publication. The firm said the flaw, which could leverage malware to run at the hardware level undetected, cannot be fixed because firmware errors that are hard-coded in the Mask ROM can't be changed.
“The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole,” said Positive Technologies researcher Mark Ermolov in a post.
An Intel spokesperson told CRN that the company has released mitigations for the vulnerability through firmware and BIOS updates while noting that the vulnerability could only be leveraged through physical access and specialized hardware.
The company is recommending best security practices for customers, including maintaining physical possession of their platform, installing updates immediately and monitoring for intrusions.
“Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products. Intel released mitigations and recommends keeping systems up-to-date,” a company statement said. Additional guidance specific to CVE-2019-0090 can be found on a company support website.
Security expert Kelly Shortridge downplayed the impact of the flaw, saying that on top of requiring physical access to execute the attack, the attacker would also need to do it in a "brief window of time" when direct memory access protections aren't in place.
"It requires a motivated and resourced attacker with at least (non-trivially obtained) local access — if not physical access — which considerably reduces the probability of widespread exploitation," wrote Shortridge, who is vice president of product strategy at cybersecurity vendor Capsule8.
Following the disclosure of the Intel CSME vulnerability, a separate group of researchers revealed on Friday two vulnerabilities in the L1D cache way predictor of AMD processors dating from 2011 to 2019.
The first vulnerability can be exploited using a method called Collide + Attack that allows an attack to monitor the processor’s memory access without knowledge of physical addresses or shared memory, according to the researchers, who are affiliated with the Graz University of Technology in Austria.
The second vulnerability can be exploited using a method called Load + Reload, which allows attacks to “obtain highly-accurate memory-access traces of victims on the same physical core” of a processor.
The researchers said the vulnerabilities can be mitigated through changes in hardware and software, such as temporarily disabling the processor’s way predictor or clearing the memory of the way predictor when changing applications.
The researchers said the vulnerabilities can be mitigated through changes in hardware and software, such as temporarily disabling the processor’s way predictor or clearing the memory of the way predictor when changing applications.
An AMD spokesperson told CRN that the vendor does not consider these vulnerabilities new discoveries because the researchers were able to exploit them using software or speculative execution side channel vulnerabilities that have already been discovered and patched.
"We are aware of a new whitepaper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way," the spokesperson said. The researchers then pair this data path with known and mitigated software or speculative execution side channel vulnerabilities. AMD believes these are not new speculation-based attacks."
The company said it recommends customers and partners to continue best security practices to combat vulnerabilities in processors. They include keeping the operating system up-to-date with the latest software and firmware, following secure coding methodologies, implementing the latest patched versions of critical libraries and running antivirus software.
Randy Copeland, CEO at Velocity Micro, a Richmond, Va.-based system builder that works with Intel and AMD, said based on what he's read about the new vulnerabilities, they appear to be low risk, especially when compared to more traditional means of hacking, like cracking a password.
"To some highly sensitive military computers maybe [the risk is higher], but those are typically going to be in high security facilities," he said.
Copeland said Velocity Micro has an engineer dedicated to following new security disclosures and that the company can walk through customers through things like BIOS updates if needed.