Intel CSME bug is worse than previously thought2020-03-06 15:19 by Daniela
Tags: Intel, CSME, flaw
Virtually all Intel chips released in the past five years contain an unfixable flaw that may allow sophisticated attackers to defeat a host of security measures built into the silicon. While Intel has issued patches to lessen the damage of exploits and make them harder, security firm Positive Technologies said the mitigations may not be enough to fully protect systems.
The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).
"The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality...This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms," wrote Mark Ermolov, lead specialist of OS and hardware security.
"The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets," warns Ermolov. "The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole."
The vulnerability is another in a string of Intel chip flaws that have damaged the chipmaker's reputation of late. In 2018, Intel faced heavy criticism over the Meltdown and Spectre flaws in Intel chips that could have allowed attackers to steal data. Contacted for comment, Intel reaffirmed that the bug can only be exploited via physical access and urged users to apply the May 2019 updates.
Read more -here-