Security experts from Positive Technologies warn of a new vulnerability, tracked as CVE-2019-0090, that affects all Intel processors that were released in the past 5 years. The flaw is currently defined as
The CVE-2019-0090 vulnerability affects the firmware running on the ROM of the Intel’s Converged Security and Management Engine (CSME). Experts explain that the only way to address the issue it to replace the vulnerable chips.
Intel CSME is the cryptographic basis for hardware-enabled security technology developed by Intel that implements an enclave protected
The flaw could be exploited by attackers to extract the Chipset Key, which is a sort of master cryptographic key that can grant an attacker access to feature on a device,
Access to the Chipset Key could allow attackers to decrypt traffic and other sensitive data, and to bypass DRM protections.
“Intel’s security is designed so that even arbitrary code execution in any Intel CSME firmware module would not jeopardize the root cryptographic key (Chipset Key),” the experts said. “Unfortunately, no security system is perfect. Like all security architectures, Intel’s had a weakness: the boot ROM, in this case. An early-stage vulnerability in ROM enables control over
Intel attempted to address the flaw, but security patches it has made available are incomplete and could not defend systems from sophisticated attacks.
The vulnerability in the Intel CSME firmware could be exploited by a local attacker at early booting.
“The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and
“The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
The CVE-2019-0090 vulnerability affects Intel CSME versions 11
Only Intel 10th generation processors, Ice Point
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.