About Intel’s CVE-2022-0004 (10th May 2022)

Preface: Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

Background: Protection Class “Public” (historically also known as “Green” or “Locked”) is where all sets of debuggers can use the available debug capabilities given by this class. No access mechanisms are used by the debugger and the privilege level on the debug capabilities (i.e., Basic Enabling) are considered public and available to everyone.

Intel specified CPU products can utilize two different ways to access the entity debug mechanism to enable access and to gain privileges for debug capabilities. For example: unlock. But the debugger must authenticate and unlock using Intel’s authentication key.

On CVE-2018-3659 and CVE-2018-3643 description does not mention DAM explicitly.
It is well known that DAM does not require authorization from Intel or the system manufacturer but requires the consent of the owner. The consent can be set in the following way:
• On CNP based platform, by physically connecting to Intel® Direct Connect Interface (Intel® DCI) over a USB3 port supporting a dedicated protocol and device for debugging, aka Intel® DCI OOB.
• Having BIOS set consent.
• Setting DCI enable bit in SPI descriptor, i.e. a configuration option that enable/disable automatic debug consent if the system is before EOM. This can be set using Intel Flash Image Tool (FIT).

Vulnerability details and remedy: For details, please refer to the official article (2022.1 IPU – Intel® Boot Guard and Intel® TXT Advisory) – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00613.html

My observation: According to Risk Rating, Adjacent Network, Authenticated CVSS score of 7.3. Additionally, the unauthenticated physical CVSS score is 7.3. Therefore, undisclosed details of the design weakness include both local and remote access. Attackers exploit remote access to think it is running on a management application. For example, it is the Intel Converged Security and Management Engine (CSME).

In the initialization of the x86-64 multi-core system, one core is required as the bootstrap processor (BSP). Each processor first performs a processor self-test (BIST – Built In Self Test), and if the self-test passes, it has the qualification to become a BSP. Each processor that is expected to become a BSP will send a special cycle of NOP to the bus, with the purpose of reaching the end point as quickly as possible. If a processor successfully sends a NOP first, it becomes a BSP. Vendor recommends updating the Intel Converged Security and Management Engine (CSME) to the latest version, disabling the CPU debug feature when Boot Guard is enabled, and disabling the BSP (Bootstrap Processor) INIT (DBI) bit. Refer to above details, did you speculate what is the fact causes bug happen?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.