Another day, another vulnerability. Intel has just released firmware updates for a vulnerability (CVE-2018-3655) in the Intel Converged Security and Manageability Engine (CSME). The security flaw enables threat actors to recover, modify, or delete data stored on Intel’s CPU chip-on-chip system.
CSME, also known as Management Engine BIOS Extension, contains a list of components such as the Intel Management Engine (ME) used with mainstream Intel chipsets, the Server Platform Services (SPS) used for servers, and the Trusted Execution Engine (TXE) used as a remote management engine for tablets and embedded devices.
Furthermore, Intel ME, SPS, and TXE are designed to work as a separate computer on top of the main Intel CPU. These components have their own stripped-down OS, memory, network interface, and storage system.
Positive Technologies experts Mark Ermolov and Maxim Goryachy who discovered the vulnerabilities explained specifically for Intel ME that:
Intel ME (short for “Management Engine”) stores data with the help of MFS (which likely stands for “ME File System”). MFS security mechanisms make heavy use of cryptographic keys. Keys differ in purpose (confidentiality vs. integrity) and degree of data sensitivity (Intel vs. non-Intel).
It should be noted that the most sensitive data is protected by Intel Keys, with Non-Intel Keys used for everything else. In short, four keys are used: Intel Integrity Key, Non-Intel Integrity Key, Intel Confidentiality Key, and Non-Intel Confidentiality Key.
As a matter of fact, the very same researchers gained access to these keys access in 2017. Back then, they used a security flaw in JTAG, a debugging interface, to recover the four encryption keys deployed by Intel ME, SPS, and TXE.
In the current scenario, the researchers relied on the same attack mechanism with the only difference that they leveraged the vulnerability to uncover the two Non-Intel keys. With this new attack, they obtained access to the immutable non-Intel root secret as well as the Intel Security Version Number (SVN).
Intel has already issued a patch with the ME, SPS, and TXE firmware updates to address this vulnerability. The vulnerability itself is known as CVE-2018-3655. It is described as an escalation of privilegeand information disclosure vulnerability with high severity rating and impact.
Here is the official description of CVE-2018-3655:
A vulnerability in a subsystem in Intel® CSME before version 11.21.55, Intel® Server Platform Services before version 4.0 and Intel® Trusted Execution Engine Firmware before version 3.1.55 may allow an unauthenticated user to potentially modify or disclose information via physical access.