Rugged News

New Rootkit Exploit discovered affects all Intel SMM-enabled x86 CPU’s

by Vlad Tudorie on August 8, 2015

In recent reports, Christopher Domas, a researcher for Battelle Memorial Institute has come out to declare a security vulnerability present in all of Intel and possibly most if not all AMD x86-based CPU’s, dating all the way back to 1997, allowing an attacker with kernel or system privileges to install Rootkit software through the SMM hardware feature present on all Intel CPU’s for the past 21 years.

Let’s first provide more of a layman’s explanation of the workings behind Rootkit Exploits in order to avoid confusion. In principle, this is a type of software, usually malicious, containing tools that allow a potential attacker to gain partial or total control of the computer system it’s running on.

The Intel vPro technology, along with Intel VT and the Intel Management Engine Firmware attempt to provide security against these types of exploits, but are ironically vulnerable themselves, as demonstrated by the myriad exploits demonstrated at hacking conventions. Secure Management Mode (SMM) was introduced in Intel 386SL in 1994, and all CPU’s since, and provided entities like the NSA with convenient hardware backdoors into Intel systems, and were first discovered in 1997.Rootkit Exploit

Discussions regarding the SMM vulnerability flooded the Internet in 2009, with the introduction of Ring -3 Rootkits which exploited the SMM function with CPU Cache Poisoning techniques.

These issues apparently went under the radar without being fixed, because in very recent news, Christopher Domas of the Battelle Memorial Institute, revealed a new type of exploit against the SMM which allows an attacker to delete the UEFI, BIOS or reinfect the Operating System following a clean installation. Mr. Domas went on to speculate that AMD CPU’s may be affected as well.

As a small consolation, it is at first necessary for an attacker to have kernel or system privileges in order to install the Rootkit, yet that doesn’t represent much of a defense for companies that allow users the creation of root accounts, such as Web Hosting services. It should suffice for a user to purchase one of the myriad hosting plans available for mere dollars, and once root privileges are obtained, infect the server and attempt to use it as a base to gain access to the rest of the network.Rootkit-Exploit

These kinds of attacks are rendered yet more dangerous by the low-level hardware access awarded to attackers, allowing for near-undetectable infection.

Intel already knows about the problem and are rolling out firmware updates for their CPU’s in order to mitigate the damage. Mr. Domas, though, has made claims that not all processors can even be patched this way.

Even if they can, considering Intel’s track history on this issue, and the existence of yet more and more weaknesses of SMM after more than twenty years, we’re keeping our expectations low.

Unfortunately, Intel still produce the most powerful consumer CPU’s at the moment, and AMD have not yet made a statement regarding the existence of this possible flaw in their own CPU’s, though they have copied the SMM functionality with the 80486 CPU, and have included it ever since.

That being said, we all need more compute power. If you’re in the market for a new Intel CPU, you can help us out by using our affiliate link.


Leave a reply
  • May 9, 2017 at 2:10 am

    Hi – Great article and very informative. So much so I have added it to my website as an example of vulnerabilities unaddressed in our tech industry. My website is to locate a reasonable investor to bring my new anti-hacking/antivirus tech in to reality.

    If you are so inclined please visit it. Your article link is on the following page:

Leave a Response

This website uses Google technologies such as AdSense and Analytics to improve the quality and presentation of our content. Read more about the information collected here. We will also clearly and explicitly present directly relevant affiliate links in as un-intrussive a manner as we can. Affiliations bear no influence upon the quality of our content.