In late March; security researchers published new research concerning a previously undocumented debugging feature of Intel motherboards and CPUs known as VISA (Visualization of Internal Signals Architecture).
TL DR: If your system is affected (please see the advisory); please ensure that you have applied the fixes from Intel’s advisory. Please only allow trusted individuals to physical access your systems e.g. servers and workstations: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
What is this technology?
VISA (Visualization of Internal Signals Architecture) is a logic signal analyser within the Platform Controller Hub (PCH) of motherboards since the release of the 5-Series Chipsets (November 2008 onwards). This can be used for debugging purposes during manufacturing and is disabled by default.
This feature allows for the real-time monitoring of internal data and address lines as well as other buses within the motherboard.
What is the risk of having this technology within my motherboard?
While the researchers demonstrated 3 methods of exploiting these vulnerabilities:
- Previous known high severity buffers overflows and privilege escalation flaws within the Intel Management Engine (ME) patched by Intel in 2017
- Use of the Intel JTAG password
- Fault injection technique into Intel Management Engine firmware read-only memory (ROM)
If you have already patched the first means of using the VISA technology an attacker would require physical access to your system in order to exploit the remaining 2 methods. Thus the residual risk would be low.
As per Microsoft’s Immutable Laws of Security (the official link seems to have been removed); if an attacker has physical access to a computer system; it can’t be considered your system anymore since the avenues of attack now open to them are large and little can be done to avoid this.
How can I can protect my organisation or system from mis-use of this debugging feature?
Check your systems using the downloadable tool from Intel to check if your system is vulnerable to the known issues from 2017.
If so, please contact the manufacturer of your system or motherboard to obtain the most appropriate firmware updates for your system. You can provide them a link to Intel’s security advisory for further details.
Please only allow authorised and trusted individuals physical access to your systems. Be security aware by knowing that attackers can socially engineer you into providing physical access to a system by impersonating your internal IT support or Security staff. Please check that such individuals work for or on behalf of your company before allowing them access.
Personally; my Asus ROG Rampage VI Apex system has received 3 Intel ME firmware updates to address security vulnerabilities first identified in 2017. Intel’s tool linked to above shows my system as not vulnerable to the issues listed within it’s advisory.