Intel Xeon workhorses boot evil maids out of the hotel: USB-based spying thwarted by fix

The story behind the quietly patched CVE-2018-3652

Ex-Intel security dragons have breathed fresh fire into the old maxim: if someone has physical access to your machine, you're pwned.

US-based Eclypsium, founded by former Chipzillans Yuriy Bulygin and Alex Bazhaniuk, confirmed this week it is possible to pull off a classic evil maid attack against Intel-powered servers and workstations by abusing a USB-based system debugging mode to commandeer a vulnerable box.

In effect, you can jam a widget into a vulnerable machine's USB port and run some crafty code to take over the system and install a rootkit, spyware, or whatever you like. This requires a special debug mode in the chipset to be enabled, and you to be left unattended with the box.

The exploitation of USB-based debugging to hijack systems has been previously documented. What's new here is that on Monday, Eclypsium blogged that Intel has issued a patch – specifically, an updated Direct Connect Interface policy – to thwart USB-based debugging attacks on certain Xeon-powered systems.

The vulnerability was designated CVE-2018-3652, and Chipzilla credited its discovery to Eclypsium principal researcher Jesse Michael, also ex-Intel.

Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it


"Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family can potentially allow a limited physical presence attacker to access platform secrets via debug interfaces," Intel noted in its advisory.

It added that client chips – such as those used in desktop PCs and laptops – should be unaffected because USB-based debugging is expected to be disabled by default. If in doubt, check your firmware settings.

According to Team Eclypsium, "debug access over USB enables installation of persistent rootkits in UEFI firmware and runtime SMM firmware on systems that do not securely set debug policy. This weakness would allow an attacker with physical access to the device to perform an 'Evil Maid' attack without opening the case."

Again, this particular attack is against Xeon-based systems, rather than Intel-powered client computers. For the latter, you'll have to pop the case, as demonstrated in this video.

That's what makes debug mode valuable: if it's enabled, “it is possible to halt the system inside SMM and make arbitrary changes to memory from that context. This grants complete control of highly privileged SMM execution to the attacker,” the Eclypsium team said. At that point, a miscreant has total control over the hardware.

According to the researchers, ensure in your firmware settings that CPU debugging is “disabled and locked,” and the Direct Connect Interface is disabled, because “if enabled, the chipset will provide debug capability over USB.”

If a target falls short on these controls, an attacker who can get near your gear can plug a cable into the USB port and pwn a machine with a script. “An attacker may infect firmware with their own malware or rootkit, and they can do it without opening the case," the team warned.

In short: it's not the end of the world, however, it's why physical security and UEFI settings matter. ®

Similar topics

Broader topics

Other stories you might like

  • Intel demos multi-wavelength laser array integrated on silicon wafer
    Next stop – on-chip optical interconnects?

    Intel is claiming a significant advancement in its photonics research with an eight-wavelength laser array that is integrated on a silicon wafer, marking another step on the road to on-chip optical interconnects.

    This development from Intel Labs will enable the production of an optical source with the required performance for future high-volume applications, the chip giant claimed. These include co-packaged optics, where the optical components are combined in the same chip package as other components such as network switch silicon, and optical interconnects between processors.

    According to Intel Labs, its demonstration laser array was built using the company's "300-millimetre silicon photonics manufacturing process," which is already used to make optical transceivers, paving the way for high-volume manufacturing in future. The eight-wavelength array uses distributed feedback (DFB) laser diodes, which apparently refers to the use of a periodically structured element or diffraction grating inside the laser to generate a single frequency output.

    Continue reading
  • Intel withholds Ohio fab ceremony over US chip subsidies inaction
    $20b factory construction start date unchanged – but the x86 giant is not happy

    Intel has found a new way to voice its displeasure over Congress' inability to pass $52 billion in subsidies to expand US semiconductor manufacturing: withholding a planned groundbreaking ceremony for its $20 billion fab mega-site in Ohio that stands to benefit from the federal funding.

    The Wall Street Journal reported that Intel was tentatively scheduled to hold a groundbreaking ceremony for the Ohio manufacturing site with state and federal bigwigs on July 22. But, in an email seen by the newspaper, the x86 giant told officials Wednesday it was indefinitely delaying the festivities "due in part to uncertainty around" the stalled Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act.

    That proposed law authorizes the aforementioned subsidies for Intel and others, and so its delay is holding back funding for the chipmakers.

    Continue reading
  • Intel to sell Massachusetts R&D site, once home to its only New England fab
    End of another era as former DEC facility faces demolition

    As Intel gets ready to build fabs in Arizona and Ohio, the x86 giant is planning to offload a 149-acre historic research and development site in Massachusetts that was once home to the company's only chip manufacturing plant in New England.

    An Intel spokesperson confirmed on Wednesday to The Register it plans to sell the property. The company expects to transfer the site to a new owner, a real-estate developer, next summer, whereupon it'll be torn down completely.

    The site is located at 75 Reed Rd in Hudson, Massachusetts, between Boston and Worcester. It has been home to more than 800 R&D employees, according to Intel. The spokesperson told us the US giant will move its Hudson employees to a facility it's leasing in Harvard, Massachusetts, about 13 miles away.

    Continue reading

Biting the hand that feeds IT © 1998–2022