# 5 years of Intel CPUs and chipsets have a concerning flaw that’s unfixable



## trparky (Mar 6, 2020)

5 years of Intel CPUs and chipsets have a concerning flaw that’s unfixable
					

Converged Security and Management Engine flaw may jeopardize Intel's root of trust.




					arstechnica.com
				



Word has it that the vulnerability may not be fully patched and that if you have physical access, all bets are off. But then again, that’s always been the case.


----------



## mtcn77 (Mar 6, 2020)

Kinda old.








						Intel Management Engine Patched
					

https://threatpost.com/intel-patches-high-severity-flaw-in-security-engine/152794/  The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to...




					www.techpowerup.com


----------



## Solaris17 (Mar 6, 2020)

Please put any original thought into your posts or the thread will be locked please.


----------



## Fouquin (Mar 6, 2020)

trparky said:


> How? Arstechnica just published that article today.



They're late to reporting on it. The company that 'discovered' it, Positive Technologies, even addresses that the flaw is the same as CVE-2019-0090 which Intel already has mitigations for.

_" We should point out that when our specialists contacted Intel PSIRT to report the vulnerability, Intel said the company was already aware of it (CVE-2019-0090). Intel understands they cannot fix the vulnerability in the ROM of existing hardware. So they are trying to block all possible exploitation vectors. The patch for CVE-2019-0090 addresses only one potential attack vector, involving the Integrated Sensors Hub (ISH). We think there might be many ways to exploit this vulnerability in ROM. Some of them might require local access; others need physical access. "_


----------



## EarthDog (Mar 6, 2020)

mtcn77 said:


> Kinda old.
> 
> 
> 
> ...


Is this the same issue? I see a cve in yours but not one in the OP's link.

Edit: ahh ha! (CVE-2019-0090) 

Not the same.


----------



## timta2 (Mar 6, 2020)

This is also being reported in several other major news publications today, so while it may be old news, it's still current. 



Solaris17 said:


> Please put any original thought into your posts or the thread will be locked please.



The way you've stated this seems insulting.


----------



## Solaris17 (Mar 6, 2020)

timta2 said:


> The way you've stated this seems insulting.



I am sorry you took it as such. I meant to include thoughts on the matter in the OP.


----------



## lexluthermiester (Mar 6, 2020)

EarthDog said:


> Is this the same issue? I see a cve in yours but not one in the OP's link.
> 
> Edit: ahh ha! (CVE-2019-0090)
> 
> Not the same.


You beat me to that one. This seems to be a new problem.

@trparky 
Mitigation is the same as any of the rest of the vulnerabilities relating to Intel ME: disable the hardware, uninstall any relating drivers and software and use a network device not wired(built-on) to the motherboard itself. These steps will completely mitigate the vulnerabilities relating to this new discovery.


----------



## moproblems99 (Mar 6, 2020)

mtcn77 said:


> Kinda old.
> 
> 
> 
> ...





Fouquin said:


> They're late to reporting on it.





timta2 said:


> This is also being reported in several other major news publications today, so while it may be old news, it's still current.



The CVEs are clearly different so these are clearly not the same issue so clearly not old.  The one I reposted does not have any mention of CVE-2019-0090 which is what the OP is about.


----------



## Solaris17 (Mar 6, 2020)

ME, may be a case in itself, but with SaaS and other cloud based software providers and services it inevitably leads to higher server density, and I am curious how oob/lights out management systems take the fight in a more security aware world.

IPMI
iLO
iDRAC

Just to name a few stand from vluns that are just as bad as some of the Intel ME ones. Full KVM access to a server is a big deal and coveted I imagine.

Even if it doesnt lead to any data loss/breach (and its hard not to imagine) I can't imagine the other kinds of disruption that could stem from those systems being broken into. Even if its just some skiddies sending a ACPI shutdown.


----------



## Fouquin (Mar 6, 2020)

moproblems99 said:


> The CVEs are clearly different so these are clearly not the same issue so clearly not old.  The one I reposted does not have any mention of CVE-2019-0090 which is what the OP is about.











						Intel x86 Root of Trust: loss of trust
					

The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has ...




					blog.ptsecurity.com
				




This is the direct report on the vulnerability by Positive Technologies where they themselves state it is the same vulnerability as outlined in CVE-2019-0090.

The Ars Technica article also says the same if you read down to the bottom, with statements from intel and links to CVE-2019-0090 mitigation downloads.

They simply exploited another attack vector, but it's the same vulnerability.


----------



## moproblems99 (Mar 6, 2020)

Fouquin said:


> Intel x86 Root of Trust: loss of trust
> 
> 
> The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has ...
> ...



CVEs don't generally get duplicated - a different CVE is a different flaw.

EDIT: No, these are different.  The CVE from my repost targets this Intel SA: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00307.html which is Intel-SA-00307.  While the CVE in the OP is covered by this SA: https://www.intel.com/content/www/us/en/support/articles/000033416/technologies.html which is Intel-SA-00213


----------



## ChristTheGreat (Mar 6, 2020)

Solaris17 said:


> ME, may be a case in itself, but with SaaS and other cloud based software providers and services it inevitably leads to higher server density, and I am curious how oob/lights out management systems take the fight in a more security aware world.
> 
> IPMI
> iLO
> ...




You could shutdown a server, without access to an iDRAC, iLo, or any other.

Having an access to a Managed PDU, UPS, user/password of the Hypervisor/OS... This is the main reason why you set ACL on the management of any device. You never let non admin IP having access to this. It needs to be behind a firewall, in a different vlan, etc.

Intel ME, can be active on normal computer. You need to disable this, at any time.


----------



## lexluthermiester (Mar 6, 2020)

Fouquin said:


> They simply exploited another attack vector, but it's the same vulnerability.


Thus the new problem. This new attack method seemingly goes right around the mitigation patches.


----------



## Solaris17 (Mar 6, 2020)

ChristTheGreat said:


> Intel ME, can be active on normal computer. You need to disable this, at any time.



Meh, the same could be said for ME (it is OOB). You can even take it a step further too in reality, someone will leverage any of the far easier network/OS level exploits before they hit the jackpot with IPMI. 

Doesn't change the fact ME has the vulnerability, doesn't change the fact that im still curious. A quick scan or probe on shodan and you would be surprised the amount of idiots with any OOB technology open to the world.


----------



## moproblems99 (Mar 6, 2020)

Solaris17 said:


> A quick scan or probe on shodan and you would be surprised the amount of idiots with any OOB technology open to the world.



Are you really that surprised though?


----------



## Solaris17 (Mar 6, 2020)

moproblems99 said:


> Are you really that surprised though?



Man I wish I was. Probably wouldn't have a career if people weren't dumb though. 

With Intel ME. I don't think it's ME itself, or rather I don't think it's the idea of ME. I think at this point though there will be cve after cve. It's the implementation that is broken. Hardware that is simply not physically architected securely enough.

I want to be fair here. Everyone keeps bashing ME. I get it and it's deserved. I hope though that the users have the clairvoyance to see it for what it is though. Let's take this for example.

They have a hardware problem, physical architecture allows arbitrary exploitation.

They patch it with software because they can't rewire it.

A vlun is found in the patch
A new patch is issued.
They leverage other software that is trusted to bypass the patch.

They are reported to have 4 problems including the initial CVE. However, these are all problems based on the same hardware.

Things like this are just unavoidable, regardless of manufacturer. Once you have a hardware fault you simply move the method of exploitation up a level. They moved it from hardware to software, now it will be patch after patch. There will generally always be a way via proxy or otherwise. This specific arch implementation if ME is toast. 

That doesn't mean the next will be though. All platforms new and old deserve scrutiny. So I have no doubts the next gen ME platform will be looked at under a microscope by company management/engineers and by the public at large.

That doesn't mean they are the same problems though. That doesn't mean that all MEs are the same.

I hope that the clarification is given (as it often is I guess) about the differences in nature between new products and past problems. The security industry let alone just public users deserve to have an open mind regardless of preference if only to find more issues with new platforms.


----------



## R0H1T (Mar 6, 2020)

Fouquin said:


> This is the direct report on the vulnerability by Positive Technologies where they themselves state it is the same vulnerability as outlined in CVE-2019-0090.
> 
> The Ars Technica article also says the same if you read down to the bottom, with statements from intel and links to CVE-2019-0090 mitigation downloads.
> 
> They simply exploited another attack vector, but it's the same vulnerability.


So it wasn't fully patched, just like the slew of half baked patches which Intel released last year & tried to bribe the researches to not disclose other attack vectors. In short this is *NEW*


----------



## Solaris17 (Mar 6, 2020)

R0H1T said:


> So it wasn't fully patched, just like the slew of half baked patches which Intel released last year & tried to bribe the researches to not disclose other attack vectors. In short this is *NEW*



Blah have any of the ME patches affect performance yet? I think several of them have been OS level mitigation’s.


----------



## R0H1T (Mar 6, 2020)

Solaris17 said:


> Blah have any of the ME patches affect performance yet? I think several of them have been OS level mitigation’s.


That wasn't ME from what I remember ~








						NYTimes posted an article about Intel CPU fixes from last May.
					

*Gasp* Intel caught lying again? Say it aint so! ;)  I dont know how much truth there is to this, maybe someone can decipher whats being said here, or call BS On it. https://www.nytimes.com/2019/11/12/technology/intel-chip-fix.html  @btarunr maybe make a news article out of this?




					www.techpowerup.com
				



And I'll put it bluntly, corporate doublespeak is not fine *IMO* but this was a lie!


----------



## Solaris17 (Mar 6, 2020)

R0H1T said:


> That wasn't ME from what I remember ~



Huh, I already knew of spectre and mitre etc, but I was under the impression ME patches had entered the user space.

Probably a good thing they haven't. Performance loss at this point can be pretty jarring for certain workloads. I wouldn't be surprised if some tool was made by now that disabled them though. (Assuming a software work around is in play and people don't have updated BIOS.)

EDIT:: Looks like Inspectre does this now. Could have sworn it just checked in earlier versions. https://www.grc.com/inspectre.htm


----------



## ChristTheGreat (Mar 7, 2020)

Solaris17 said:


> Meh, the same could be said for ME (it is OOB). You can even take it a step further too in reality, someone will leverage any of the far easier network/OS level exploits before they hit the jackpot with IPMI.
> 
> Doesn't change the fact ME has the vulnerability, doesn't change the fact that im still curious. A quick scan or probe on shodan and you would be surprised the amount of idiots with any OOB technology open to the world.



Any code have a Vulnerability. That is not the question. Even without any IPMI, you could it the jackpot. Someone that wants to reach the core of a business, will to do, whatever it takes. You can just slow him and if you have a reactive team, block it, before there is too much damage.

You just said "amount of idiots", That's because IT has become for everyone, and people don't understand. Add Cloud to all of this, we have alot of problem. 



Solaris17 said:


> Man I wish I was. Probably wouldn't have a career if people weren't dumb though.
> 
> With Intel ME. I don't think it's ME itself, or rather I don't think it's the idea of ME. I think at this point though there will be cve after cve. It's the implementation that is broken. Hardware that is simply not physically architected securely enough.
> 
> ...



I understand this point, I am not bashing Intel ME, I just think that for a computer, that can go anywhere, connect to any network, this shouldn't be enabled. Like I said, there is bug everywhere. Just like HP iLO 4 firmware version 2.54, typing A 29 times, bypass security  There is exploit everywher,e you just can reduce the access to these device, and you have mostly no damage possible, except if one of your IT computer gets compromised.


----------



## Zyll Goliat (Mar 7, 2020)




----------

