Latest Intel CPUs have 'impossible to fix' security flaw

(Image credit: Intel)

New warnings claim that pretty much every Intel processor released in the last five years has a security flaw baked into the silicon which can’t actually be fixed as such, although the chip maker has already implemented mitigations.

Security firm Positive Technologies found that Intel’s mitigations (enacted since the initial bug was first discovered in May 2019) might not be sufficient to fully protect a PC from an attack.

The more positive news (pun not intended) is that the vulnerability, which is present in Intel’s Converged Security and Management Engine (CSME) – a subsystem inside the CPU which takes care of all manner of important security duties, right from pushing the power button – is not trivial to exploit. In fact it’s a tricky matter to do so.

Intel first described the security flaw as: “Insufficient access control vulnerability in subsystem for [CSME versions] … may allow an unauthenticated user to potentially enable escalation of privilege via physical access.”

So in other words, you need physical access (or local access, potentially in some cases, Positive Technologies qualifies) to the machine to attempt to leverage the vulnerability, which coupled with the sophisticated nature of the attack, makes this a difficult exploit to pull off.

But it’s still a worrying state of affairs when there’s apparently a security flaw directly in the silicon which isn’t fixable, as it can’t be patched via a firmware update.

Positive Technologies observes that this is because the problem is present in the “very early stages of the subsystem’s [CSME’s] operation, in its boot ROM”, and that it’s “impossible to fix firmware errors that are hard-coded in the mask ROM.”

Chain of trust

The security firm further notes that Intel has said it’s already aware of the issues here, and understands that it cannot fix the vulnerability in the ROM, so instead it’s attempting to patch all possible attack vectors. But mitigating against every conceivable exploit could obviously be a difficult process.

Positive Technologies warned: “This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms … The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”

In short, it’s another blow to Intel’s reputation on the security front, which it can ill afford given the huge amount of ground AMD is gaining with its Ryzen offerings.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).