A very serious problem is affecting thousands of Intel computers, prior to the tenth generation versions, as a vulnerability has been found in the Converged Security and Management Engine (CSME) ROM.
The particular and dangerous thing is that this bug makes it impossible to correct the firmware errors that are encoded in the microprocessor and chipset mask ROM.
However, the biggest concern is that because of this vulnerability, there is a real commitment at the hardware level, which will force it to be changed.
The real vulnerability is called CVE-2019-0090, and it impacts what in Spanish would be something like Intel's "convergent security and management engine", formerly called Management Engine BIOS Extension (MEBx).
The error was discovered by Positive Technologies security experts, who explain how the problem works: “Intel CSME interacts with the CPU microcode to authenticate the UEFI BIOS firmware using BootGuard. Intel CSME also loads and verifies the firmware of the Power Management Controller responsible for providing power to the Intel chipset components. ”
Positive Technologies added that there are other important functions that the CSME executes, as it is “it is the cryptographic basis for hardware security technologies developed by Intel and used everywhere, such as DRM, fTPM and Intel Identity Protection. In its firmware, it implements EPID (enhanced privacy ID). EPID is a procedure for remote certification of reliable systems that allows individual computers to be identified unequivocally and intimately, which has several uses: these include protecting digital content, securing financial transactions and performing IoT certification. ”
The vulnerability allows to extract the chipset key and manipulate part of the hardware key and the process of its generation. The bug also sets the stage for the execution of arbitrary code with zero level privileges in Intel CSME. This means that an attacker can exploit the chipset and use the reason cryptographic key that can grant access to everything on a device.
The main problem is also that Intel recognized that "the CVE-2019-0090 patch addresses only one potential attack vector, which involves the Integrated Sensors Hub (ISH)", so investigations will continue in search of a definitive solution.