Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Intel Security

Intel CSME Bug Worse Than Previously Thought (zdnet.com) 68

Security researchers say that a bug in one of Intel's CPU technologies that was patched last year is actually much worse than previously thought. From a report: "Most Intel chipsets released in the last five years contain the vulnerability in question," said Positive Technologies in a report published today. Attacks are impossible to detect, and a firmware patch only partially fixes the problem. To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said. The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).
This discussion has been archived. No new comments can be posted.

Intel CSME Bug Worse Than Previously Thought

Comments Filter:
  • by quonset ( 4839537 ) on Thursday March 05, 2020 @09:46AM (#59799280)

    The recommended solution is replace (i.e. buy) a new CPU. Since it's the chip which is having the problem, shouldn't Intel be giving people who bought these flawed chips new ones at no charge? Why should the consumer be penalized for Intel's problem?
    To use a bad car analogy, air bags are being replaced by car dealers at no cost to the consumer. The consumer is not paying to have anything fixed because the air bags are faulty.

    • Re: (Score:3, Interesting)

      That's an unsustainable business model. In another 5-10 years their newly-introduced backdoor...erhm...bugs will be found and people would just demand free replacements again. Intel is a corp designed to, get this, collect "intel." The government can't afford to make that happen without offloading the cost onto the people being spied upon.
    • by binarybum ( 468664 ) on Thursday March 05, 2020 @09:53AM (#59799302) Homepage

      Definitely. This is grounds for recall if ever there was one. Otherwise the recommendation should be to replace with an AMD processor - would be insane to give more money to company producing faulty product that is not assisting with fixing the problem.
              Would be nice to get some free silver paste and an apology for the time I'll spend messing with my cooling system too - but that is asking a bit much...

      • "Replace with an AMD processor" would be a bit of a challenge, because the last motherboard socket Intel & AMD had in common was Socket 7, approximately twenty years ago.

        Intel now introduces multiple new sockets for every new generation... sometimes, stepping... of the same nominal chip. AMD is better, but even AMD seems to come up with yet another new socket every year or two.

        In theory, maybe someone could make adapter boards... but even if they could get past the electronic & mechanical challenges

    • by LostMyAccount ( 5587552 ) on Thursday March 05, 2020 @10:10AM (#59799346)

      How would that actually work? I mean if you're running a two year old platform, you're not gonna be able to just snap in new CPU, it's gonna be a whole mainboard and on most vendor server platforms even that may not work.

      I'm not disagreeing with your sentiment much, but I think it's so ridiculously impractical that it would never get off the ground. Intel didn't make Dell build servers with non-upgradable proprietary mainboards.

      It almost makes me wonder if the answer to heading this off in the future is to go back to slot/bus CPUs, but nobody in the industry wants that as it would allow cheaper upgrades to existing platforms and keep everyone from re-buying everything from the ground up every 4-5 years.

      • I think a more realistic approach would be something like a discount coupon for a new CPU or PC based on the age and price of the processor.

        Any shrink-wrap agreemnet terms that say that Intel has no responsibility are unconscionable.

        • No one would be satisfied with that when they learn that the value of their coupon is the pro-rated-for-depreciation wholesale cost of the CPU itself.

          So like $500 off a total system replacement priced at $10,000.

          But that is the only realistic way to do this, too many vendors and ancillary components involved.

      • easy. they re-fab new, corrected versions of the broken chips, socket compatible for each mainboard. Fixed chips sent for free, once Intel receives old chip.
        • "easy"

          So when it turns out there's some flaw in my 5 year old car transmission, you'd expect the carmaker to turn back time and remanufacture an obsolete transmission without the flaw?

          That'd be great if you can actually make it work.

          • by sconeu ( 64226 )

            No, but I'd expect the carmaker to issue a recall and FIX THE F***ING FLAW

            • That isn't how it works. If it isn't a safety issue, it probably won't get a recall. It is, and has been this way for as long as I remember. Subaru can keep on selling engines with a bad head gasket design and GM can keep selling engines that leak oil at the seams. It isn't dangerous
          • So when it turns out there's some flaw in my 5 year old car transmission, you'd expect the carmaker to turn back time and remanufacture an obsolete transmission without the flaw?

            That's basically what they did for a big fraction of all of the airbags produced in the last 20 years.

          • yeah, when theres a remote backdoor in that transmission that allows an attacker to put me in neutral from the next lane.
          • Yes, I expect them to fix the darn thing if it misbehaves well short of the typical lifespan of a product, and especially if it creates a danger to the user.

      • by AmiMoJo ( 196126 ) on Thursday March 05, 2020 @11:32AM (#59799704) Homepage Journal

        Intel would have to fix their old CPU designs and restart manufacture. It would probably be cheaper to buy everyone a new motherboard.

        Or do what I did and sue them. Back when Spectre first hit I took them to small claims court for the cost of the CPU, motherboard, RAM (because you couldn't get new DDR3 boards any more) and my time swapping it all out. They sent a local defence lawyer but he didn't know anything about the issue, he could only read their statement that it wasn't really as bad as some people were saying. I had some benchmarks handy to prove otherwise.

        I used the money to switch to AMD.

      • but nobody in the industry wants that as it would allow cheaper upgrades to existing platforms and keep everyone from re-buying everything from the ground up every 4-5 years.

        Hardly. It was a very technical reality that caused the abandoning of the slot based system. Hell just look at the number of PCI-e lanes that a slot is capable of compared to what a CPU is capable of. Or better still just a simple count will tell you how impractical that is. A PCI-e 16x slot has 84 pins, an AM4 CPU 1331 pins.

        • 1331/84 = 16 (rounded) so that explains the change but isn't a hard barrier. In a long-term-use computer it might be perfectly reasonable, especially since most people don't need all the different capabilities, they might only use 8 or 12 slots.

      • It almost makes me wonder if the answer to heading this off in the future is to go back to slot/bus CPUs, but nobody in the industry wants that as it would allow cheaper upgrades to existing platforms and keep everyone from re-buying everything from the ground up every 4-5 years.

        There isn't enough bandwidth when you get over about 2Ghz. If you want a low power cluster of slower CPUs, then this would work fine, but you'd need a really high end PCIe controller.

        I expect to see these products in a few years, as a few companies bite the bullet and try to sell longterm use computers. Don't expect it from the big players.

      • by sjames ( 1099 )

        Intel assured Dell that the CPUs were free of severe flaws, leading them to build mainboards with non-upgradable CPUs.

    • It's not a bug it's a feature. Sell your Gen 9 CPUs to DRM unlocking pirates at a premium, while buying Gen10 CPUs.

      Either that or switch to Ryzen, which currently has a performance lead anyway.

    • Broken by design (Score:4, Interesting)

      by DrYak ( 748999 ) on Thursday March 05, 2020 @10:22AM (#59799374) Homepage

      The recommended solution is replace (i.e. buy) a new CPU. Since it's the chip which is having the problem, shouldn't Intel be giving people who bought these flawed chips new ones at no charge?

      The biggest problem for Intel is that all of their chips are currently broken. The whole company seems to run on the principle: "Throw in wathever enables us to win a few % in benchmarks against competition, no matter the cost".

      I mean seriously: Whereas most out-of-order CPUs with speculative execution are just speculating around jumps (conditional jumps or return addresses), Intel CPUs seem to speculate around every single possible stall situation, including around exhaustively every single last security or sanity check (see Meltdown and co).

      Chances are, whatever replacement Intel gives the consumer, it's probably going to be as broken as the previous part its replacing.

      The only way to replace with a non-broken part would be if Intel gave out voucher for buying AMD or ARM parts.

      To use a bad car analogy, air bags are being replaced by car dealers at no cost to the consumer. The consumer is not paying to have anything fixed because the air bags are faulty.

      To keep with the bad car analogy, Intel would be a company that insists on filling the airbag canisters with hydrogen instead of compressed air(*). And the only replacement you get after a recall is another canister filled with H2.

      ---

      (*) - I joke, I know the actual real-world air bags don't use compress gas, but chemical reactions generating the gas. And the slightly less stable reaction *was indeed* the reason for some recalls.

      • To keep with the bad car analogy, Intel would be a company that insists on filling the airbag canisters with hydrogen instead of compressed air(*). And the only replacement you get after a recall is another canister filled with H2.

        Intel Engineer: "Well, it *would* cut down on weight.... hmmm."

    • A new Intel CPU also requires a new motherboard, since Intel does not make their motherboards usable with more than two generations of CPU's. AMD is a better choice these days. AMD's AM4 motherboards from three years ago will run new generation AM4 CPU's, usually a BIOS/Firmware update is needed with the old CPU in place first. I've moved back to AMD, since Intel CPU security holes began appearing a couple of years ago. The nice part is that AMD's systems generally cost less for comparable. or better, perfo
    • by Megane ( 129182 )
      Except that this isn't an "air bag", it's the management engine, so it's more like the "On Star" has a problem, but it's integrated so deeply into the car that you can't replace it short of junking the entire engine. And they change the engine mounts every other year, so you can't get a new engine that fits.
    • i think it's a great take on blackmail , very creatively phrased and executed lol ... please buy the latest most expensive we have and dunk all the old ones in the bin, don't resell them second hand they arent safe, no one will want them anyway. Now , the money plez cuz haxxers ! A+ for marketeering
  • by NicknameUnavailable ( 4134147 ) on Thursday March 05, 2020 @09:49AM (#59799292)
    Why even buy Intel anymore?
    • Re: (Score:3, Insightful)

      by OrangeTide ( 124937 )

      sadly there are CVEs for AMD Ryzen and EPYC processors. It's rather tough to find a perfectly secure CPU.

      • The abacus is secure
      • by Vancorps ( 746090 ) on Thursday March 05, 2020 @11:25AM (#59799646)

        You are kinda correct, [cvedetails.com] in that there is one CVE and is isn't a security related one either and its from 2017.

        AMD's whole product line [cvedetails.com] is significantly better than Intel's track record. It is almost laughable [cvedetails.com] to even compare the two.

      • by geek ( 5680 )

        sadly there are CVEs for AMD Ryzen and EPYC processors. It's rather tough to find a perfectly secure CPU.

        Yes but just because there is a CVE does not mean it's sever. That is why CVE's have accompanying risk scores and severities.

        • by OrangeTide ( 124937 ) on Thursday March 05, 2020 @11:40AM (#59799764) Homepage Journal

          I work specifically with Rome at work. There were a few scores over 9 if you check cvedetals.com; FALLOUT, RYZENFALL, and CHIMERA-HW being the most famous. I deal mostly with privilege escalation that can result in a container leaving its namespace.

          I used to patch in mitigation for spectre & meltdown on aarch64. A majority of the time was spent on writing tests to prove and disprove the presence of the flaw in a variety of SoCs (in-house and third party). From that experience, I'm quite familiar with the total freaking security disaster that Intel has been over the last 10 years.

          Experts begged Intel not to do their Management Engine for the better part of a decade. What we actually wanted is a better IPMI. As in a baseboard management controller that is external to the CPU and can be "fixed" by firmware, replacement of a module, or replacement of the motherboard. Simply on the general idea that the development cycles for motherboards and modules is much shorter than CPUs. And on the principle that more isolation and simpler components leads to better security, or at least security that is easier to audit.

          • by sjames ( 1099 )

            Experts begged Intel not to do their Management Engine for the better part of a decade. What we actually wanted is a better IPMI.

            And so naturally, Intel gave everyone the finger and went the opposite direction, making newer chipsets absolutely dependent on the ME during initialization so you couldn't just kill the ME by corrupting it's firmware.

            The really ugly part is that just as IPMI was getting somewhat reliable and starting to make it's way into lower end products, Intel came up with the ME.

      • by AmiMoJo ( 196126 )

        The difference is that the AMD CPUs can be fixed with microcode updates that don't shatter performance.

        Intel's flaws are built in at the hardware level and the only fix is to disable parts of the CPU or force them into low performance modes.

        Also AMD's server management system isn't quite as batshit as Intel's so it hasn't been subject to so many crippling security flaws.

      • sadly there are CVEs for AMD Ryzen and EPYC processors. It's rather tough to find a perfectly secure CPU.

        If only all integers were equal, then "has CVE" would be a reasonable binary measurement.

        But no, it isn't. Different integers are not equal. Lots of problems is not the same as one problem.

      • You can go with the IBM POWER9 https://www.cvedetails.com/pro... [cvedetails.com]

    • You're sentiment is right but for the wrong reasons. There's bugs in AMD's PSP just as there are in IME. They are undocumented blobs in both chips. Intel's security flaws have been a nothingburger for anyone not timesharing their PC with a malicious actor.

      Now the real questions is given the incredible cost vs performance lead AMD currently has, why buy Intel anymore.

      • Intel's security flaws have been a nothingburger for anyone not timesharing their PC with a malicious actor.

        Which these days is everyone with a website.

        • That isn't even remotely true and nothing points more to this case than the complete lack of actual takeovers through using these exploits.

          Every man's website is under an endless barrage of attacks. Your think an unpatchable universal vulnerability would have caused the end of computing as we know it, but it didn't because despite what done sir proclaimed experts say, these bugs are insanely hard to exploit to the point of irrelevance to the common man.

      • If you're timesharing your computer with somebody using IO, they're a potential malicious actor.

        That is how bugs combine.

        (And if you're sharing your computer with somebody who isn't using IO, just lie and tell them they have access but don't give them any. They'll never know!)

      • > Now the real questions is given the incredible cost vs performance lead AMD currently has, why buy Intel anymore

        Because AMD's performance depends almost entirely upon software putting multithreading to good use... which rarely happens in real software in actual present-day use.

        Intel absolutely mastered "making non-multithreaded software behave as though it implicitly WERE multithreaded" (through aggressive speculative execution of literally every instruction). The catch is, it accidentally enabled vuln

        • by fintux ( 798480 )

          Because AMD's performance depends almost entirely upon software putting multithreading to good use... which rarely happens in real software in actual present-day use.

          That was perhaps true for the 1st and 2nd gen Ryzen CPUs. But the landscape has changed with the 3rd gen. Have a look for example at the Cinebench R20 1T results at https://www.guru3d.com/article... [guru3d.com] - AMD's leading the bunch. Same goes for a lot of the other benchmarks on the site - it's hard to find non-gaming ones where Intel has the lead.

          Also, for a lot of things (word processing, web browsing etc.) the performance doesn't really matter as long as you have any decent and recent CPU. For gaming, the multi

  • At this point, the amount of research and patching time, mitigation, and repair time incurred by IT professionals collectively for intel chip hardware/firmware flaws in just the last 2 years probably exceeds intels entire net worth. Somebody should have to pay, and it shouldn't be my clients.
  • by sinij ( 911942 )
    My understanding that this is vulnerability (exposing keys) in the crystallographic engine used to sign BIOS and DRM. So the worst-case scenario, it won't save you, the administrator, from running unsigned malware at Ring 0 when you grant it root access. Best-case scenario, it will allow you to bypass DRM.

    Am I missing something? Where is seriousness of this?
    • Since I barely understand the technical details of the problems, I'll just go with what mosts posts are going to say:

      Intel bad, AMD good!!!1

  • That fucking remote backdoor shit most all did not ask for, want, or need turns out to be... a remote backdoor...
  • by Tristfardd ( 626597 ) on Thursday March 05, 2020 @11:27AM (#59799664)
    Back around 2001 Intel sold a chip that was later found to have a small mathematical flaw, not one the normal user would see. If you could give a reason why the flaw would affect you, they sent out a replacement kit. You pulled out the old chip, inserted the new, and sent the old back to them. I had a good reason. That may not be possible in this case, and the number of machines with the chip out there is vastly greater, but back in the good old days they managed to accomplish it.
  • The best monopoly is a monopoly on a broken system.
    • There are lots of benefits to UEFI. One of the main ones being you can have drives larger than 2.2TB which was surpassed years ago especially on the server side where Linux has a large presence. So, no, UEFI wasn’t designed to mess with Linux.
      • He's confusing UEFI with secure boot, a UEFI feature which was an attempt to take the "6,000 hulls" approach to bootkit malware, probably the rarest form of malware. An overreaction of that magnitude is indistinguishable from never letting a crisis go to waste...

        • > bootkit malware, probably the rarest form of malware...

          Not anymore. They are Intel your base.
        • by sinij ( 911942 )

          Is it "rarest form" because trusted boot makes it hard to pull off, or is it rares form because it is ineffective?

          • Probably rarest because it's not much more effective than other root-level infection methods - the effort/return ratio isn't worth it for malware authors. Throughout the history of computers booting OSes from writeable media, it only had one short flash of popularity, which ended before most computers in use had secure boot.

        • Let's be honest here, BIOS needed to be replaced with something. The boot prom of your 90s era UNIX box was infinitely more useful than x86 BIOS. A SPARC 1 from 1989 could boot from a CDROM or network and the boot prom let you probe the scsi bus and even run memory tests. You couldn't even boot a PC from optical media until nearly a decade later.

          • I agree, and secure boot isn't necessarily a bad feature to have, but having it on by default was a questionable choice, and worse, some computers made it difficult or impossible to add keys or disable the feature.

      • 2.2TB is the limit of the MBR. Since GPT is still preceded by the protective MBR, you can boot off a GPT-formatted drive in BIOS mode, i.e. without UEFI.
        • Yes some Linux distros can use GPT with Legacy BIOS for HDDs over 2TB however the last time I had to do that it involved a lot more steps and complications. When I got a newer MB with UEFI, it was much easier to set up a RAID 10 server. I can’t remember all the limitations but I think one of them was there was still a 4TB upper limit.
  • I stopped reading after requires physical access and or root.

    More generally I think it is amazing even though it is known with 100% certainty there are exploitable bugs in everything companies do not feel they have to take it seriously.

    Companies are still churning out hardware with persistent field upgradability.

    They are still doing this insane systems within systems bullshit.

    They refuse to implement simple hardware latches to protect persistent boot media before transitioning into user mode. The only answe

Sentient plasmoids are a gas.

Working...