Skip to main content

Intel Discovers Security Flaw in CSME Firmware

(Image credit: Shutterstock)

Intel’s internal team this week disclosed a new vulnerability in the company’s Converged Security and Management Engine (CSME), which could allow privilege escalation, denial of service and information disclosure attacks against PCs powered by certain Intel CPUs.

The bug affects all Intel CPUs that come with a CSME microcontroller unit (MCU), with the exception of newer Ice Lake and Comet Lake processor generations. The vulnerability has a CVSS score of 8.2 out of 10, classifying it as “high severity.”

The firmware flaw is an improper authentication in a subsystem in Intel CSME versions 12.0 through 12.0.48, and versions 13.0-13.0.20 and 14.0-14.0.10 may still allow attackers to enable escalation of privilege, denial of service or information disclosure if they have local access to the device via some other bugs.

On Internet of things (IoT) devices, only firmware 12.0.56 is affected.

Security Issues Keep Plaguing Intel Firmware

Only a few years ago, we’d hardly even hear about security issues with Intel firmware. But these days, especially with Intel Management Engine (ME), one of several firmware subsets of CSME, there seem to be a couple of major disclosures every year

Exploits of Intel’s ME/CSME chips and firmware can enable an attacker to remotely bypass a computer’s security solutions and take it over. That's because remote out-of-band management enabled by ME/CSME and Intel Active Management Technologies (AMT) is a "feature" Intel implemented in its processors.

Privacy activists and system vendors have long argued that Intel ME and the AMT firmware are too dangerous to be enabled on most devices, especially on consumer ones where there’s little to no need for them. 

Mitigation

Intel recommends asking your system manufacturers for the CSME firmware updates versions 12.0.49, 13.0.21 and 14.0.11 or later.  

As for most firmware updates, chances are system manufacturers will only update the most recent devices, with the vast majority of in-use devices remaining vulnerable to attacks.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.