Intel Discovers Security Flaw in CSME Firmware

News
By Lucian Armasu
published

The flaw means vulnerability to privilege escalation, denial of service and information disclosure.

(Image credit: Shutterstock)

Intel’s internal team this week disclosed a new vulnerability in the company’s Converged Security and Management Engine (CSME), which could allow privilege escalation, denial of service and information disclosure attacks against PCs powered by certain Intel CPUs.

The bug affects all Intel CPUs that come with a CSME microcontroller unit (MCU), with the exception of newer Ice Lake and Comet Lake processor generations. The vulnerability has a CVSS score of 8.2 out of 10, classifying it as “high severity.”

The firmware flaw is an improper authentication in a subsystem in Intel CSME versions 12.0 through 12.0.48, and versions 13.0-13.0.20 and 14.0-14.0.10 may still allow attackers to enable escalation of privilege, denial of service or information disclosure if they have local access to the device via some other bugs.

On Internet of things (IoT) devices, only firmware 12.0.56 is affected.

Security Issues Keep Plaguing Intel Firmware

Only a few years ago, we’d hardly even hear about security issues with Intel firmware. But these days, especially with Intel Management Engine (ME), one of several firmware subsets of CSME, there seem to be a couple of major disclosures every year

Exploits of Intel’s ME/CSME chips and firmware can enable an attacker to remotely bypass a computer’s security solutions and take it over. That's because remote out-of-band management enabled by ME/CSME and Intel Active Management Technologies (AMT) is a "feature" Intel implemented in its processors.

Privacy activists and system vendors have long argued that Intel ME and the AMT firmware are too dangerous to be enabled on most devices, especially on consumer ones where there’s little to no need for them. 

Mitigation

Intel recommends asking your system manufacturers for the CSME firmware updates versions 12.0.49, 13.0.21 and 14.0.11 or later.  

As for most firmware updates, chances are system manufacturers will only update the most recent devices, with the vast majority of in-use devices remaining vulnerable to attacks.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
14 Comments Comment from the forums
  • jgraham11
    Another one, this time Intel actually reported it themselves.
    Do you think it has anything to do with the negative publicity they
    have been receiving for all those strings they attach to "Prize money"
    for reporting a bug.
    Why the researchers who found Cacheout bug declined to stay
    silenced for potentially years.
    Reply
  • bit_user
    It'd be interesting to know whether Intel's own internal IT disables the ME on their systems. I'm betting they probably do.
    Reply
  • cfbcfb
    bit_user said:
    It'd be interesting to know whether Intel's own internal IT disables the ME on their systems. I'm betting they probably do.

    Nope they don't. I have a number of friends who work in IT for the company. In truth, 90% of these "bugs" never affect anyone. I suppose if you download and install anything from anyone and spend your days on eastern european porn sites, you might get something. Oh, and your computer too!
    Reply
  • bit_user
    cfbcfb said:
    Nope they don't. I have a number of friends who work in IT for the company. In truth, 90% of these "bugs" never affect anyone. I suppose if you download and install anything from anyone and spend your days on eastern european porn sites, you might get something. Oh, and your computer too!
    I'm not sure you understand the nature of these ME bugs.

    The ME is like a special core, inside your CPU, that has privileged access to the rest of the entire system. On top of that, it's pretty much directly connected to the network.

    What that means is that, if there's a remote vulnerability, someone on your network could get root access to you box. That's one of the worst kinds of exploits, and it's a vulnerability that is especially of concern to corporations and potentially some cloud networks, where you have a ton of machines on the same networks.

    A lot of the side-channel attacks that we've been hearing about, recently, tend to require having some code already running on the box (although even simple Javascript in a web browser could be sufficient, in some cases). For those, I wouldn't worry too much about servers that are entirely under my control. It's only people running in VMs on cloud servers with unknown code running in other VMs that mainly worry about that stuff.
    Reply
  • Bamda
    This is now becoming a feature of Intel chips. LOL
    Reply
  • cfbcfb
    bit_user said:
    I'm not sure you understand the nature of these ME bugs.

    The ME is like a special core, inside your CPU, that has privileged access to the rest of the entire system. On top of that, it's pretty much directly connected to the network.

    What that means is that, if there's a remote vulnerability, someone on your network could get root access to you box. That's one of the worst kinds of exploits, and it's a vulnerability that is especially of concern to corporations and potentially some cloud networks, where you have a ton of machines on the same networks.

    A lot of the side-channel attacks that we've been hearing about, recently, tend to require having some code already running on the box (although even simple Javascript in a web browser could be sufficient, in some cases). For those, I wouldn't worry too much about servers that are entirely under my control. It's only people running in VMs on cloud servers with unknown code running in other VMs that mainly worry about that stuff.

    There may be 5-7 people on earth that understand it better than I do. And you're fairly wrong on nearly evert single count. You're extremely unlikely to have any sort of problem unless you download malware. No, some random software on the internet cannot infect a desktop via the ME without you doing anything stupid.
    Reply
  • bit_user
    cfbcfb said:
    There may be 5-7 people on earth that understand it better than I do. And you're fairly wrong on nearly evert single count.
    Talk is cheap. Tell me something I probably don't know about it.

    cfbcfb said:
    You're extremely unlikely to have any sort of problem unless you download malware. No, some random software on the internet cannot infect a desktop via the ME without you doing anything stupid.
    I didn't actually say "some random software on the internet". Misquoting me only hurts your credibility. I specifically cited large corporate networks.

    Now, I see that where I was slightly mistaken was in my belief that the ME was always connected to the network. According to this, only systems with the vPro enterprise feature are.

    https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
    However, that would tend to include most servers and even desktops deployed in corporate/enterprise environments. So, I stand by my previous assertion.

    You've presented no evidence refuting my claims - only weak insults and bravado. Next time, try harder.

    BTW, I misspoke - it resides in the chipset - not the CPU. That doesn't seem to limit the amount of damage it can inflict on the host.
    Reply
  • NightHawkRMX
    {sarcasm} Wow, an Intel security bug? That's rare! {/sarcasm}
    Reply
  • bit_user
    BTW, in case anyone else is interested, here's some more about Intel's Management Engine:
    https://www.slideshare.net/codeblue_jp/igor-skochinsky-enpubhttps://kakaroto.homelinux.net/2019/11/exploiting-intels-management-engine-part-1-understanding-pts-txe-poc/?_sm_au_=iVVLtVkZt7FJsnjMkpQ8jKtB7ckcW
    Reply
  • cfbcfb
    bit_user said:
    Talk is cheap. Tell me something I probably don't know about it.


    I didn't actually say "some random software on the internet". Misquoting me only hurts your credibility. I specifically cited large corporate networks.

    Now, I see that where I was slightly mistaken was in my belief that the ME was always connected to the network. According to this, only systems with the vPro enterprise feature are.

    https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
    However, that would tend to include most servers and even desktops deployed in corporate/enterprise environments. So, I stand by my previous assertion.

    You've presented no evidence refuting my claims - only weak insults and bravado. Next time, try harder.

    BTW, I misspoke - it resides in the chipset - not the CPU. That doesn't seem to limit the amount of damage it can inflict on the host.

    Seems like you enjoy hearing yourself talk. And then the hilarity of admitting you really didn't know much at all about it...several times. I didn't have to 'try harder' after all. You self-pwned yourself nicely.
    Reply