Late last week security researchers at Positive Technologies said they found a flaw in Intel chips’ read-only memory. They described the flaw as “unfixable” and said it could let attackers compromise platform encryption keys and steal sensitive information. Exploiting it, however, requires an attacker to get physical access to a compromised server.
“No firmware updates can fix the vulnerability,” the researchers said.
Since it is impossible to fully fix it, Positive recommends that IT managers disable Intel CSME-based encryption of data storage devices in their data centers or consider migration to tenth-generation or later Intel CPUs. CSME, or Converged Security and Management Engine, is the part of Intel CPUs responsible for Microsoft System Guard and BitLocker, the Trusted Platform Module used for hardware-based encryption and other security features.
“The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality,” Positive security researcher Mark Ermolov wrote. “This vulnerability jeopardizes everything Intel has done to build the root of trust.”