Anonymous ID: aaa704 June 7, 2021, 1:29 p.m. No.13851522   🗄️.is 🔗kun   >>1535 >>1602 >>1764 >>1905 >>1965

https://www.infoq.com/news/2021/04/intel-hidden-instructions/

 

Two Hidden Instructions Discovered in Intel CPUs Enable Microcode Modification

APR 05, 2021 2 MIN READ

 

by

 

Sergio De Simone

Security researchers Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy discovered two undocumented x86 instructions that can be used to modify the CPU microcode. The instructions can only be executed when the CPU runs in debug mode, which makes them not easily exploitable, though.

 

Being able to modify a CPU's microcode means you can re-program its instructions to do whatever you want. Usually, modifying CPU microcode is necessary to fix vulnerabilities and other types of bugs, which requires the CPU architecture to provide a mechanism to do it. CPU microcode updates are provided in encrypted form and the secret key that can decrypt them resides in the CPU itself. Getting access to the two instructions allows an attacker to bypass this barrier, says Goryachy:

 

In my opinion, on[e] of the main achievement [of] these instructions [is] bypassing the microcode update verification. Yes, you [are] right - it allows to craft your own persistent microcode patch without external debugger.

 

According to Ermolov, the two instructions are decoded in all processor modes, including user mode, but they will raise an undefined instruction exception unless the CPU is running in so-called red state. The red state is one of four possible DFx states supported by Intel System on a Chip, along with green, orange, and DAM. While the green state is used for normal CPU operation, the red and orange states enable debug access to all or parts of the CPU IPs.

 

On the good side of things, getting an Intel CPU to enter the red state is not easy to accomplish. In fact, it should never happen unless there are vulnerabilities in the Intel Management Engine (ME), an almost undocumented subsystem present in all Intel CPUs since 2008 that Intel says is required to provide full performance. Security researchers have in some cases claimed it is a security threat and users should disable it.

 

As a matter of fact, several vulnerabilities in Intel ME have been discovered in the past. Among others, Ermolov, Sklyarov, and Goryachy described a method to extract the secret key that is used inside the CPU to decrypt microcode updates, which also led to the possibility of executing your own microcode on the CPU or reading Intel's microcode.

 

The three researchers have posted a video demonstrating how to access the two instructions with only root/admin privileges. This requires uploading a custom UEFI to SPI flash and then rebooting the system, which definitely requires having physical access to it.

 

Ermolov, Sklyarov, and Goryachy are working on a disclosure paper and a full PoC. For the moment, Intel has refused to acknowledge the possibility of accessing the two hidden instructions as a vulnerability. InfoQ will continue to provide detailed reporting about this as new information will become available.

Anonymous ID: aaa704 June 7, 2021, 1:30 p.m. No.13851535   🗄️.is 🔗kun   >>1602 >>1764 >>1905 >>1965

>>13851522

>Two Hidden Instructions Discovered in Intel CPUs Enable Microcode Modification

 

https://www.ehackingnews.com/2021/03/black-code-two-critical-vulnerabilities.html

 

Black code: Two critical vulnerabilities found in Intel processors

In some cases, hidden device features can serve to unauthorisedly hijack computer control

Friday, March 26, 2021

 

Two new vulnerabilities have been found in Intel processors. They are undocumented capabilities of the manufacturer that allow hijacking control over the device. Access to them opens in a special mode that in most cases only Intel engineers have access to. However, in some scenarios it can also be activated by hackers. Information security experts suggest that these options may be present in all current Intel processors and see them as a major potential threat.

 

According to Positive Technologies experts Mark Yermolov and Dmitry Sklyarov, there are two undocumented instructions in Intel processors that allow modification of the microcode and gain control over the processor and the entire system.

 

"The discovered instructions allow bypassing all existing x86 architecture protection mechanisms in modern processors," said Yermolov.

 

The experts specified that the features found are in Intel's Atom processor family, which has been updated since 2011 to the present day.

 

"In theory, the vulnerabilities found can be exploited by any attacker who has the necessary information", Alexander Bulatov, Commercial Director of RuSIEM, told the publication.

 

In this case, the hacker would get a whole set of opportunities to control the compromised system.

 

“This can be either the simplest forced shutdown of the device, or flashing the processor with microcode that secretly performs certain tasks of the attacker,” explained Bulatov.

 

According to Yermolov, instructions can be activated remotely only in a special mode of operation of processors Red Unlock, which only Intel engineers should have access to. As Positive Technologies noted, some processors have vulnerabilities that allow third parties to enable Red Unlock mode as well.

 

Intel's press office said it takes Positive Technologies' research seriously and is carefully reviewing their claims.

 

The vulnerabilities found are potentially dangerous for users of devices based on the Intel Atom family. These are low-power processors mainly used in netbooks, tablets, POS terminals and POS machines.