A vulnerability has been revealed in Intel’s Goldmont and Goldmont Plus low-power architectures that could potentially reveal low-level security keys, according to security firm Positive Technologies (via by The Register).
Positive Technologies responsibly disclosed the flaw to Intel (which has put out an advisory) before going public, and it has been assigned the reference CVE-2021-0146. It requires physical access to the computer and sees the chip tricked into entering a test debugging mode that has excessively high privileges, from which root encryption keys can be extracted. “The bug can also be exploited in targeted attacks across the supply chain,” said Positive’s Mark Ermolov in a statement. “For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect.”
A UEFI BIOS update can plug the security hole, and owners of affected systems are advised to look out for an update from their device’s manufacturer.
