Intel chips for the past five years have included vulnerabilities that cannot be fixed. The vulnerability CVE-2019-0090 is located in the mask model read-only memory (mask ROM) of Intel CPU and chipset subsystem converged Security and Engine Management (CSME) and cannot be fixed by updating the firmware.
Experts at security firm Positive Technologies say the problem is not only the impossible fix for hard-coded firmware errors in processor and chipset masking models, but also the vulnerability that allows hardware-level intrusions that undermine the platform’s trust chain as a whole.
An attacker who successfully exploits this vulnerability can bypass the security provided by Intel Enhanced Privacy ID (EPID) to make it possible to extract chipset encryption keys. This encryption key is not platform-specific, and Intel’s same generation of chipsets uses the same single key.
Positive Technologies is concerned that it is only a matter of time before the key is extracted. Once the key is compromised, the chaos will occur, the hardware ID will be forged, the digital content will be extracted, and the encrypted content of the hard disk will be decrypted.
Intel says it is trying to block any possible use vectors, but security researchers say the chip giant’s current release of patches can only block one of them.