New Spectre-Related CPU Flaw Tops Intel’s Latest Critical Security Fixes
Intel has announced a large number of patches and fixes for dozens of security problems in its products and processors. The company has provided a total of 77 patches to OEMs and partners as part of its Intel Platform Update program. We were briefed on this update prior to the formal announcement, but the documents Intel has provided are a bit vague and the links that should lead to the write-ups themselves on the nature of these issues aren’t actually live yet. The flaw that Intel spent the most time discussing, meanwhile, isn’t the highest-ranked security problem of the list.
According to Intel, it is fixing 77 security flaws with this raft of patches. 67 of the flaws were found internally at Intel, while 10 were discovered by outside researchers. At least one of the CVE vulnerabilities, CVE-2019-0169, has a CVSS rating of 9.6 (ratings of 9 – 10 are considered critical, the highest severity). As of this writing, the webpage for CVE-2019-0169 is a placeholder, but we’ll have more to say as soon as we can tell what this vulnerability does. It appears to be located in the Intel Management Engine or one of its subcomponents.
The first set of fixes are various aspects of Intel’s command-and-control hardware, including the Intel Management Engine (IME), Converged Security and Management Engine (CSME), Intel Server Platform Services (SPS), Trusted Execution, and the like. It’s clear that Intel has been laying the groundwork for a major security update — there’s a CSME Detection Tool available online dated to September 4, and various laptop manufacturers have been pushing UEFI updates for IME security issues since late September. The design and security of the IME have been strongly criticized by security researchers over the years, mostly for being an entirely black box and impossible to evaluate. The security processors used by ARM, AMD, and Apple have all faced similar complaints.
Intel’s paraphrased description of CVE-2019-0169 (which has not been published as of this writing) is that it concerns a heap overflow in a subsystem of the Intel CSME and one in the Trusted Execution (TXE) subsystem. These flaws may allow an unauthenticated user to enable privilege escalation, disclose information, or launch a denial of service attack via “adjacent access.” Adjacent access” is not defined, but is positioned against terms like “local access” or “network access.”
We can’t describe most of these vulnerabilities in detail, but CVE ratings of 8+ are generally significant and should be acted upon. The fact that UEFI updates have already been pushed for laptops means it might not be a bad idea to grab one.
The practical impact of this problem is likely to be limited, but Intel couldn’t have made it more difficult to determine which CPUs aren’t impacted if it tried. Listing the enumerated values of specific CPU fields is only helpful if those values are readily available for each individual CPU a person might own. Intel has web pages devoted to detailing MDS fixes at the per-CPU level, but none of the information on those pages corresponds to the values given above. As such, it’s useless for determining whether or not you have a CPU with a vulnerability. It would be better to identify the specific CPU families or models, even if that leads to rather long lists. A switch has been added to the UEFI of affected products to allow TSX to be turned off, and Intel’s guidance is that consumers who have the feature but don’t use it should disable it.