Intel Chip Vulnerability Could Lead to Stealthy Rootkits

Security researchers have turned the spotlight on an Intel chip vulnerability that could allow hackers unauthorized access to system management mode code. The hack was disclosed recently by the efforts of two separate researchers, but was apparently first uncovered by Intel employees.

Security researchers have released proof of concept exploit code for an Intel chip flaw that could be abused to compromise computer systems with stealthy rootkits.

The attack takes advantage of an Intel CPU caching vulnerability that can be used to get unauthorized access to SMRAM, a protected region of system memory where the system management mode (SMM) code lives. Joanna Rutkowska and Rafal Wojtczuk of Invisible Things Lab released a paper with proof of concept code yesterday, while Loic Duflot, a research engineer for the French Central directorate for Information System Security, was slated to simultaneously make a presentation on the issue at the CanSecWest conference in Vancouver.

Duflot and the researchers at Invisible Things Lab discovered the flaw separately - though apparently neither are the first to report its existence. According to the team at Invisible Things Lab, the flaw was actually found initially by Intel employees, who wrote about how this class of CPU caching vulnerability could be exploited back in 2005.

The attack assumes the hacker has access to certain platform MSR registers. Technical details of the attack can be found here in the paper from Invisible Things Lab. Successful exploitation of the CPU cache poisoning allows hackers to read or write to SMRAM, which is otherwise protected.

"The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs," Rutkowska, CEO of Invisible Things Lab, explained in a blog post.

According to Invisible Things Lab, this marks the third attack on SMM memory they have found in the last 10 months affecting Intel-based systems.

"Intel has informed us that they have been working on a solution to prevent caching attacks on SMM memory for quite a while and have also engaged with OEMs/BIOS vendors to implement certain new mechanisms that are supposed to prevent the attack," according to the paper. "According to Intel, many new systems are protected against the attack. We have found out, however, that some of Intel's recent motherboards, like e.g. the popular DQ35, are still vulnerable to the attack."

In her blog, Rutkowska added that researchers should not be blamed for publishing information they find about a bug if vendors do not move quickly enough.

"If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later," she wrote.