Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks

Intel’s Patch Tuesday releases are rarely so salient as those pushed out this month: the semiconductor chip manufacturer has patched a slew of high-profile vulnerabilities in their chips and drivers.


TPM-FAIL is a name given to vulnerabilities found in some Intel’s firmware-based TPM (fTPM) and STMicroelectronics’ TPM chipsets, discovered by Ahmad “Daniel” Moghimi and Berk Sunar from Worcester Polytechnic Institute, Thomas Eisenbarth from University of Lübeck and Nadia Heninger from University of California at San Diego.

TPM-FAIL flaws could allow attackers to recover long-term private keys used to generate Elliptic Curve Digital Signature Algorithm (ECDSA) signatures and use them to forge digital signatures.

STMicroelectronics has released firmware updates, and so has Intel. The issue is marked as CVE-2019-11090.

The researchers say that attacks against these vulnerabilities are practical.

“A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level. We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a VPN server in 5 hours,” they explained.

It’s hard to estimate how many vulnerable chips are in use.

“Desktop, laptop and server workstations manufactured by various vendors such as Dell, Lenovo, HP, etc. may use one of these affected TPM products,” the researchers noted, and advised users to ask their OEM or consult an expert to see if their systems are affected by TPM-FAIL.

ZombieLoad v2

There is a new variant of the speculative execution side channel attack dubbed ZombieLoad, which works on a number of Intel CPUs and may allow information disclosure of secrets processed by running programs (e.g., user keys, passwords, etc.).

Well, it’s not actually new: it was disclosed to Intel in April 2019 but was put under embargo until now.

Intel refers to this issue as TSX Asynchronous Abort (TAA) and has released firmware updates to mitigate it.

The issue affects only CPU’s that support TSX. Among those is Cascade Lake, Intel’s line of high-end CPUs that was introduced in April 2019.

“The TAA mitigation provides the ability to clear stale data from microarchitectural structures through use of a VERW instruction on processors that already have hardware-based mitigations for MDS (see INTEL-SA-00233). It also provides system software the means to disable TSX for customers who do not use this functionality,” Intel explained.

“We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface. Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.”

Researchers involved in the discovery are: Michael Schwarz, Moritz Lipp, Daniel Gruss (Graz University of Technology), Jo Van Bulck (imec-DistriNet, KU Leuven), Ahmad “Daniel” Moghimi (Worcester Polytechnic Institute), Julian Stecklina and Thomas Prescher (Cyberus Technology).

Vulnerable drivers

In August 2019, Eclypsium revealed the existence of many signed kernel mode drivers that could allow attackers to gain control over Windows-based systems, the underlying firmware, and to gain access to the “negative” firmware rings that lie beneath the operating system.

Some of the drivers were disclosed then and there, information about others has been held under embargo.

Intel has published security updates for two of them (1, 2) a few days after the initial disclosure, and has released updated versions of a third driver (PMx, aka PMxDrv) this Tuesday.

“During our analysis of the Intel PMx driver, we found it to be incredibly capable, containing a superset of all the capabilities that we had seen previously,” Eclypsium researchers noted.

For example, the driver has the ability to read/write to physical memory, to Model Specific Registers (MSR), to control registers, to the interrupt descriptor table (IDT) and the global descriptor table (GDT), to debug registers, and to arbitrarily gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999,” they added.

“Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue. Intel likewise uses the vulnerable driver as part of the Flash Programming Tool, which is provided to OEM vendors and their customers to update Intel-based BIOS. This makes the Intel PMx/PMxDrv one of the most capable, feature-rich, and most common drivers we have seen to date.”

Don't miss