Categories: Security

Memory ‘Sinkhole’ Lets Attackers Take Control Of Intel Chips

Older Intel processors contain a security vulnerability that could allow attackers to gain control of system hardware and implant rootkits into the processor’s firmware, a security researcher has told the Black Hat conference in Las Vegas.

The bug is difficult to exploit and is requires an attacker to first gain root or administrator-level access to a system, but once carried out it would deliver complete control of a system, according to Christopher Domas, a security researcher with the Battelle Memorial Institute.

Attackers could, for instance, implant a rootkit into a chip’s firmware, so that even if the operating system were re-installed, the malicious code would still be in place, he said.

At the conference, he released proof-of-concept code taking advantage of “an architectural 0-day built into the silicon itself, directed against a uniquely vulnerable string of code running on every single system”.

The bug was introduced in 1995 with the Pentium Pro, and was fixed with chips built from January 2011 onward, beginning with Intel’s Sandy Bridge core, Domas said, estimating that there are still hundreds of millions of chips in use that contain the vulnerability.

He said Intel has released firmware updates to address the issue, but he told the conference that for some systems it is unpatchable. Systems can, however, mitigate against the issue at the hypervisor level, security researchers said.

APIC bug

Domas’ attack makes use of an architectural weakness in the Advanced Programmable Interrupt Controller (APIC), a feature Intel introduced around 1993. In Pentium Pro and later chips, Intel introduced a feature allowing kernel-level developers to reprogram the local APIC so that it would make use of another area of physical memory, without noticing that this could be used to make it overlap the memory space of the chip’s System Management Mode (SMM), its most powerful “ring” of privilege. Domas called the vulnerability a “memory sinkhole”.

“This provides ring 0 code a small, indirect influence over SMM, and violates the fundamental architectural separation of the two execution modes,” Domas wrote in a paper released with the presentation. “The course granularity of the APIC position, combined with the inability to effectively control the APIC data, make the vulnerability extremely difficult, but not impossible, to apply in practice.”

Domas said he was able to design proof-of-concept code that makes use of this weakness to hijack System Management Mode, so that malicious code runs with SMM privileges. The attack was validated with “select” processor models, he said.

“The specific effects of the secondary payload are left to the reader’s imagination, but commonly include deeply persistent rootkits, hardware modifications, and system destruction,” Domas wrote.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

20 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

20 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

21 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

23 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago