Pentium Computers Vulnerable to Attack?

An anonymous reader writes "One of the latest security scares is coming from security experts at CanSecWest/core '06 in the form of a possible hardware-specific attack. The attack is based on the built-in procedure that Pentium based chips use when they overheat. From the article: 'When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loïc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.'"

Physical access

[Toba82]

Physical access trumps all security. Everyone knows this. This really isn't news, just an interesting new exploit that happens to affect a lot of... systems that are already vulnerable from the same people in the same situation.

Move along, folks.

RAM access?

[Bogtha]

Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.

How is it that an unprivileged user can write to such a sensitive location in the first place?

Not being a retard still work, though? Right?

[SlappyBastard]

So, if I have a real firewall setup and I don't open every attachment I'm sent, I'm still safe, right? At the end of the day, you still have to run the exploit for it to work. So, how is that any worse than the rootkits running around at the moment? The vast majority of viruses still specifically depend on users who haven't hardened their systems.

AMD...

[Anonymous Coward]

Man, I better switch to AMD so I won't have to worry about viruses! *rolls eyes* Interesting info no doubt, but I hope this doesn't turn into an AMD is teh better fanboy episode... oh wait this is slashdot.

Re:FUD?

[PsychicX]

That's where this article gets a little sketchy.

When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity,
Ok, fine.
Every computer that runs on x86 chip architecture may be vulnerable to this attack
Wait. How did we get here?

Let's go through this, again. Intel Pentium 4s are hot. No surprise there. They enter special modes when overheating that may introduce a security vulnerability. Fine. How does this cross over to AMD and Via chips again? AMD and Via processors don't have special modes like that. If system heat becomes critical they will simply shut the system down flat out. On a Pentium 4, overheating is not entirely unexpected, particularly on the high edge of the clock speeds. On an AMD or Via, overheating is a major failure condition, probably caused by a heatsink falling off.

So, how are all x86 chips vulnerable, exactly? (Incidentally, between this and this [daemonology.net], AMD is really looking to be a much safer deal, not to mention faster, cooler, more power efficient, etc.)

The devil is in the details

[zenhkim]

Just went and RTFA, and I'm frustrated by a lack of hard details about the new threat:

- The article states that all x86 processors "could" be vulnerable. Does that mean the *entire* series of Pentium chips, even the older PIII and PII's? If so, are they equally as easy to compromise as the modern versions?

- There is no mention of AMD architecture. Doesn't AMD have an equivalent "overheat failsafe" halt-and-cooldown function? Wouldn't that make AMDs vulnerable to this type of exploit as well, or do they require a slightly different attack?

- Isn't the motherboard BIOS FlashROM responsible for the monitoring of and responding to dangerous CPU temperatures? Haven't they already been safeguarded against unauthorized writes, due to the Chernobyl virus?

I think I'll hold off on ordering the prototype Borg implants when they come on the market.... :-(

Re:Aren't you already screwed?

[merlin_jim]

Yeah that's what I'm thinking - if they have already got authority to overwrite your System Management RAM and reprogram your CPU interrupts... one of two things have occurred:

1. They don't NEED to do any of it because they already own your box

2. The system designers really fucked the pooch good on the security design of these components

Come on even Windows knows that not just any Joe User should be able to reprogam the CPU interrupts...

Semi Permanent Backdoor?

[Oriumpor]

Let me get this right, by DoSing the proc someone can overwrite the embedded code on the chip? If someone already owned the box and were to use this, it sounds like it would be the ultimate rootkit. Place in the proc, then when the system is hardened/reloaded initiate another DoS (lots are available for winblows) and viola instant re-infected Zombie PC.

Or am I confused?

Re:Aren't you already screwed?

[towsonu2003]

FTFA: Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said.

If they already have that much access to the system, aren't you already screwed?

Decide already... Is this a cyberattack (online) or a physical attack (you sit in front of the computer and take out a blowtorch)??

Re:Good Times

[ObsessiveMathsFreak]

Then a few years later, Microsoft brought us Outlook with automatic attachment opening, making the first part possible,

The watershed for me, will always be the IE images exploits, where a malicious website could run code, simply by your browser attemtping to download a carefully crafted image file.

There I was, for years, telling people; "There's no way you can get a virus by just looking at an picture on the internet". Boy was I wrong.

Bottom line, not matter what you pronounce impossible through software, invariably, somewhere out there, there exists a bug to accomplish just that.

Re:Think like an evil hax0r, then be afraid.

[theLOUDroom]

SMM runs at permission levels beyond ring0, think of it as ring-1.

So does anything that can load before your kernel. (Like a boot sector virus.)

Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?

This isn't really different than a boot sector. If you have root on a VIRTUAL server, you shouldn't have access to this or to the boot sector on the real filesystem.

Not really an exploit

[Myria]

How are you able to any of those sequence of operations if you are not *already* executing as root or as ring 0? If you already have control of ring 0 and/or root, you can do what you want to the computer already. SMM doesn't get you anything special, except perhaps the ability to mess with internal processor states you can't normally (make writable code segments in protected mode, for example).

By the way, whenever the CPU does a memory read or write while in SMM, it asserts the SMM# pin. This means that the hardware is fully able to consider SMM RAM to be totally separate from the main memory space - but most implementations don't. In fact, SMM has an instruction called "umov" that allows SMM hypervisors to read/write the main memory space. (umov is equivalent to mov when not in SMM.)

If it's *really* a problem, change the motherboard, not the CPU. The motherboard can physically lock out the SMM memory space from even kernel programs if it so desires.

Melissa