Intel Patches Firmware Flaw That Leaks ME Encryption KeysResearcher Finds Intel's Previous Management Engine Patches Weren't Foolproof
Intel has had a challenging time lately on the vulnerability front. Computer security researchers have dug deeply into the chip manufacturer's wares, finding vulnerabilities such as Meltdown, Spectre and Foreshadow, all of which proved to be difficult to fix or mitigate.
Now, another problem has emerged. Intel has patched a very serious firmware vulnerability, CVE-2018-3655, which could potentially leak encryption keys stored inside its Management Engine. The ME is a crucial microchip with code that brokers communications between a processor and external devices and helps with power management as well as starting up a computer's main processor.
Here's Intel's list of affected components and the new, post-patch firmware version numbers:
The ME is a self-contained x86 system with its own RAM. The system runs its own OS, called MINIX, and sports a variety of other features and capabilities, such as responsibility for verifying the lowest layers of boot security, including the firmware.
But according to report published by Russian company Positive Technologies, one of its researchers, Dmitry Sklyarov, found that he could extract two types of non-Intel encryption keys within a type of file system contained in the ME.
Sklyarov shouldn't have been able to do that after last year, when two of his colleagues, Mark Ermolov and Maxim Goryachy, found flaws that allowed them to do the same thing. Intel reviewed their research and issued a series of patches. In theory, those patches should have prevented these types of problems from recurring.
Ermolov and Goryachy were able to extract four types of keys: Intel's confidentiality and integrity keys and two non-Intel confidentiality and integrity keys. Their findings were significant enough that they detailed them in a presentation at the Black Hat Europe security conference last year.
This time around, Sklyarov was able to obtain the non-Intel confidentiality and integrity keys. When Intel patched the flaws found by Sklyarov's colleagues, it issued a new Security Version Number, which is a value that - in part - ensures that updated software still has access to older secrets stored on the microchip.
Sklyarov, however, found that the non-Intel keys are calculated using the SVN and an "immutable non-Intel root secret, which is unique to each platform," Positive Technologies writes in a blog post. The researcher exploited another vulnerability to get that root secret, which then enabled the calculation "of the values of both non-Intel keys even in the newer firmware version."
Positive Technologies says: "Attackers could calculate the non-Intel integrity key and non-Intel confidentiality key for firmware that has the updated SVN value, and therefore compromise the MFS [the ME's file system] security mechanisms that rely on these keys."
Intel lays out the consequences of a successful exploit in its security advisory. Namely, an unauthenticated attacker with physical access could bypass anti-reply protection with the CSME, or Converged Security and Management Engine. In other words, brute-force attacks could result in information disclosure.
Intel says an attacker may be able to access the Management Engine BIOS Extension password. Also possible is tampering within file systems or directories within the ME, Server Platform Services or the Trusted Execution Environment.