Intel has announced a large number of patches and fixes for dozens of security problems in its products and processors. The company has provided a total of 77 patches to OEMs and partners as part of its Intel Platform Update program. We were briefed on this update prior to the formal announcement, but the documents Intel has provided are a bit vague and the links that should lead to the write-ups themselves on the nature of these issues aren’t actually live yet. The flaw that Intel spent the most time discussing, meanwhile, isn’t the highest-ranked security problem of the list.
According to Intel, it is fixing 77 security flaws with this raft of patches. 67 of the flaws were found internally at Intel, while 10 were discovered by outside researchers. At least one of the CVE vulnerabilities, CVE-2019-0169, has a CVSS rating of 9.6 (ratings of 9 – 10 are considered critical, the highest severity). As of this writing, the webpage for CVE-2019-0169 is a placeholder, but we’ll have more to say as soon as we can tell what this vulnerability does. It appears to be located in the Intel Management Engine or one of its subcomponents.
The first set of fixes are various aspects of Intel’s command-and-control hardware, including the Intel Management Engine (IME), Converged Security and Management Engine (CSME), Intel Server Platform Services (SPS), Trusted Execution, and the like. It’s clear that Intel has been laying the groundwork for a major security update — there’s a CSME Detection Tool available online dated to September 4, and various laptop manufacturers have been pushing UEFI updates for IME security issues since late September. The design and security of the IME have been strongly criticized by security researchers over the years, mostly for being an entirely black box and impossible to evaluate. The security processors used by ARM, AMD, and Apple have all faced similar complaints.
Intel’s paraphrased description of CVE-2019-0169 (which has not been published as of this writing) is that it concerns a heap overflow in a subsystem of the Intel CSME and one in the Trusted Execution (TXE) subsystem. These flaws may allow an unauthenticated user to enable privilege escalation, disclose information, or launch a denial of service attack via “adjacent access.” Adjacent access” is not defined, but is positioned against terms like “local access” or “network access.”
We can’t describe most of these vulnerabilities in detail, but CVE ratings of 8+ are generally significant and should be acted upon. The fact that UEFI updates have already been pushed for laptops means it might not be a bad idea to grab one.
TAA: Transaction Asynchronous Abort
Intel did describe one of these new vulnerabilities in somewhat more detail. TAA, or Transaction Asynchronous Abort, affects the TSX capability of Intel microprocessors. TSX was a capability initially introduced with Haswell that improves the CPU’s performance in multi-threaded software if the feature is used. Like the earlier Intel MDS disclosure, TAA can be used to leak data out of microprocessors because data from speculative execution steps that is not intended to be used can still be leaked and then retrieved. There is no way for the attacker to force any particular bit of data into a leakable state (there’s no direct way to control what leaks, though an attacker can try to influence it).
Intel’s guidance on which CPUs are affected is extremely precise and maximally unhelpful. The company lists three types of products which are not impacted:
Chips without TSX support.
CPUs that enumerate IA32_ARCH_CAPABILITIES[TAA_NO] (bit 8)=1.
CPUs that support TSX but do not enumerate IA32_ARCH_CAPABILITIES[TAA_NO] (bit 8)=1 do not need fixes beyond those already baked into Intel’s MDS fixes.
CPUs based on Whiskey Lake, Coffee Lake R, and 2nd Gen Scalable Xeons all require fixes if the systems support TSX.
The practical impact of this problem is likely to be limited, but Intel couldn’t have made it more difficult to determine which CPUs aren’t impacted if it tried. Listing the enumerated values of specific CPU fields is only helpful if those values are readily available for each individual CPU a person might own. Intel has web pages devoted to detailing MDS fixes at the per-CPU level, but none of the information on those pages corresponds to the values given above. As such, it’s useless for determining whether or not you have a CPU with a vulnerability. It would be better to identify the specific CPU families or models, even if that leads to rather long lists. A switch has been added to the UEFI of affected products to allow TSX to be turned off, and Intel’s guidance is that consumers who have the feature but don’t use it should disable it.
As always, ExtremeTech recommends keeping your system up-to-date. Don’t deliberately leave security holes open for hackers to walk into. At the same time, keep in mind that no one has detected any real-world attack based on Spectre or Meltdown. We may have more to say about the other items on this list depending on what they turn out to be.
Update, 1:40 PM: Added Intel’s description of CVE-2019-1069.
- Intel Increases 14nm Capacity by 25 Percent, Still Constrained Through Q4
- Intel Shares New Data on Lakefield’s Low-Power Tremont Microarchitecture
- Intel Core i9-9900KS Review: 5GHz All-Core Boost Takes on AMD’s 7nm Ryzen CPUs