Security researchers have found another major flaw in most of Intel’s chips. This is not a leak in speculative execution, but in the Trusted Platform Module in the CPUs.
The vulnerability is in the TPM, a chip on which sensitive information is processed, such as the temporary storage of security keys. Such a TPM used to be a physical extra chip. Although this still occasionally occurs, most manufacturers now use a separate microcontroller in the chip. The researchers also discovered the leak in such firmware-based fTPMs. It contains a ‘timing leak’, where the timestamp of the nonce can be tapped. In this way, the researchers were able to intercept a 256-bit private key.
It is striking that, in contrast to many recent CPU vulnerabilities, this vulnerability can be used in practice, the researchers say. “Depending on the level of access on the machine, an attacker can retrieve a key from the fTPM in four to twenty minutes,” they write. The leak can also be exploited from a distance. The researchers describe how they managed to intercept the authentication key of a VPN server in five hours. To do this, they had to perform about 45,000 handshakes and compare the results.
The leak was discovered by security researchers at Worcester Polytechnic Institute and the University of California in America, and the University of Lübeck. Specifically, the vulnerability is in post-2013 Intel chips starting with the Haswell generation. In addition, the ST33 TPM chip from STMicroelectronics is vulnerable. The latter is mainly used in cloud servers. The vulnerabilities are known as CVE-2019-11090 for Intel chips and CVE-2019-19863 for the STMicroelectronics chip, but the discoverers refer to them as TPM-Fail.
Both Intel and STMicroelectronics have since released patches. They did so after the researchers pointed out the leak to them. Lately, there have been more leaks in Intel CPUs. Earlier this year, it was revealed that virtually all of the company’s chips were vulnerable to a side-channel attack, and this week it became clear that that vulnerability is still not fully resolved. In this specific case it is easier to patch the vulnerability. In the previous speculative execution vulnerabilities, this had to be done with a microcode update, but in this case it is a relatively simple firmware update.