Researchers allege that a technology in Intel microchips could potentially be activated and abused by bad actors – giving them complete access to all data across an affected device.
The Intel technology is called Visualization of Internal Signals Architecture (VISA), and is used for manufacturing-line testing of chips.
However, Maxim Goryachy and Mark Ermolov, security researchers with Positive Technologies, said in a Thursday Black Hat Asia session that VISA can be accessed – and subsequently abused — to capture data from the CPU using a series of previously-disclosed vulnerabilities in Intel technology.
“We researched this VISA technology primarily not as a means for attackers, but as very powerful and useful tool to investigate internal chips workings,” the researchers told Threatpost. “We had a physical access to platforms working with VISA and doing our experiments. We were not thinking of VISA from an attacker’s point of view and can’t give more vectors despite the physical access.”
VISA exists on the Platform Controller Hub of the motherboard, which is in an Intel family of chipsets used specifically to support Intel CPUs.
The technology serves as a logic signal analyzer, which essentially creates custom rules for capturing and analyzing signals passed along the CPU’s digital circuit. Researchers said they believe it is used for manufacturing line-verification of chips.
“We came across the Intel VISA technology from analyzing XML files provided with Intel System Studio, in the System Trace Tool utility,” the researchers told Threatpost. “Those visa.xml files were found in some versions of Intel System Studio and we collected all of them which are available in all released versions of the System Studio.”
Intel VISA is disabled by default on commercial systems – but the researchers found several ways to activate the technology. This allowed them to partially reconstruct the internal architecture of the Platform Controller Hub and, within the chip, access certain critical data.
“VISA documentation is subject to an NDA and not available to ordinary users,” researchers said. “However, we…show how, with the help of publicly available methods, one can access all the might of this technology without any hardware modifications on publicly available motherboards.”
While researchers said that Intel VISA is previously undocumented, an Intel spokesperson told Threatpost that that VIS (Visualization of Internal Signals) technology is included in the company’s publicly-available documentation and is part of Intel Trace Hub and outlined in the company’s developer manual.
One such way to access and abuse Intel VISA, researchers specified, involves several previously-disclosed vulnerabilities, which Intel addressed in 2017 in an update dubbed INTEL-SA-00086.
The issues in this security update stem from an array of problems in three Intel components: The Intel Management Engine, a “small, low-power computer subsystem” on Intel chipsets that has full access to systems’ memory, network and more; Intel Trusted Execution Engine, which tests the authenticity of a platform and its operating system; and Intel Server Platform Services.
“Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to the platform, Intel ME feature and third-party secrets protected by the Intel Management Engine (ME), Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE),” said Intel in an advisory on the vulnerabilities.
The vulnerabilities could allow an attacker to impersonate any of the three, “thereby impacting local security feature attestation validity,” and helping them enable VISA.
An attacker could also use this vulnerability to execute arbitrary code outside of the visibility of the user and operating system, or cause the victim system to crash.
Intel for its part released a firmware update back in 2017 addressing several of these vulnerabilities. It also said that an attacker needs physical access to platform’s firmware flash to exploit some of them.
The vulnerabilities in question are translate to 10 CVEs – however, only three apply to the VISA attack, researchers said.
Those three are high-severity buffer overflow flaws (CVE-2017-5705) and high-severity privilege escalation flaws (CVE-2017-5708) in Intel Management Engine firmware; and high-severity buffer overflow flaws (CVE-2017-5706) in Intel Server Platform services.
These vulnerabilities are just one of several ways to abuse Intel VISA, researchers said – other methods exist, including one that uses the Intel JTAG password and a fault injection technique into Intel Management Engine firmware read-only memory (ROM).
“There are other ways to enable VISA: Intel JTAG password and fault injection into [Intel Management Engine] firmware ROM,” researchers told Threatpost. “Also it must be noted that any new vulnerability which would be found in [Intel Management Engine] of a level similar to CVE-2017-5705/6/7 would also be able to active Intel VISA. We simply undertook a fact that VISA is also controlled by [Intel Management Engine] despite other means, and it can be activated by [Intel Management Engine’s] vulnerabilities.”
Intel, for its part, said that it has mitigated the vulnerabilities in question that could be used to abuse the undocumented technology – and further, that an attacker would need physical access to a device to exploit them.
“This issue, as discussed at BlackHat Asia, relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017,” said Intel in a statement when reached out to by Threatpost. “Customers who have applied those mitigations are protected from known vectors.”
However, the researchers, who informed Intel about their findings regarding VISA in November 2018, said that the fixes addressed by INTEL-SA-00086 don’t actually do anything to protect against the vulnerabilities regarding VISA.
That’s because “to exploit the bug you need a write access to the [Intel Management Engine] region of SPI [Serial Peripheral Interface] flash,” researchers told Threatpost. SPI flash is a flash module that is interfaced to over SPI.
“But if you have the access to SPI you can also write an old vulnerable version of [Intel Management Engine] firmware (downgrade the firmware) together with exploit,” they said. “Unfortunately, the current [Platform Controller Hubs] don’t have a protection from the [Intel Management Engine] firmware downgrade so the fix issued by Intel doesn’t patch the flaw.”
Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.
This post was updated on April 1 at 8:30 a.m. to reflect Intel’s comments that its VIS technology is not undocumented.