Discovered and identified last year as CVE-2019-0090, a bug in Intel’s Converged Security and Management Engine (CSME) could grant attackers access to the Chipset Key, which is the root cryptographic key that can be used to access everything on a device. The CSME is used by Intel-based computers to cryptographically verify and authenticate all firmware loaded on the machine.
When this bug was originally discovered and “patched,” it was determined that this could only be exploited with physical access to a system. However, researchers at Positive Technologies have discovered that the CSME firmware is left unprotected during the early booting, allowing the Chipset Key to be extracted via various methods. Malware with SYSTEM and BIOS-level code execution access can actually exploit this bug, even without physical access to the computer. This increases the possibility that this vulnerability will be exploited by remote attackers.
Analyst Notes
Unfortunately, the only way to fully mitigate this bug is to replace the CPU. The most recent 10th generation Intel CPUs are not affected by this bug. While Intel did release a patch in May of 2019, this patch only fixes one of the several bugs that were discovered at that time. The patch does not fix this vulnerability. In many cases, it is not practical to replace the CPU, so systems should be monitored for attacker behavior to detect malware attempts to exploit this or other vulnerabilities.
https://www.zdnet.com/article/intel-csme-bug-is-worse-than-previously-thought/
