Security researchers Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy discovered two undocumented x86 instructions that can be used to modify the CPU microcode. The instructions can only be executed when the CPU runs in debug mode, which makes them not easily exploitable, though.
Being able to modify a CPU's microcode means you can re-program its instructions to do whatever you want. Usually, modifying CPU microcode is necessary to fix vulnerabilities and other types of bugs, which requires the CPU architecture to provide a mechanism to do it. CPU microcode updates are provided in encrypted form and the secret key that can decrypt them resides in the CPU itself. Getting access to the two instructions allows an attacker to bypass this barrier, says Goryachy:
In my opinion, on[e] of the main achievement [of] these instructions [is] bypassing the microcode update verification. Yes, you [are] right - it allows to craft your own persistent microcode patch without external debugger.
According to Ermolov, the two instructions are decoded in all processor modes, including user mode, but they will raise an undefined instruction exception unless the CPU is running in so-called red state. The red state is one of four possible DFx states supported by Intel System on a Chip, along with green, orange, and DAM. While the green state is used for normal CPU operation, the red and orange states enable debug access to all or parts of the CPU IPs.
On the good side of things, getting an Intel CPU to enter the red state is not easy to accomplish. In fact, it should never happen unless there are vulnerabilities in the Intel Management Engine (ME), an almost undocumented subsystem present in all Intel CPUs since 2008 that Intel says is required to provide full performance. Security researchers have in some cases claimed it is a security threat and users should disable it.
As a matter of fact, several vulnerabilities in Intel ME have been discovered in the past. Among others, Ermolov, Sklyarov, and Goryachy described a method to extract the secret key that is used inside the CPU to decrypt microcode updates, which also led to the possibility of executing your own microcode on the CPU or reading Intel's microcode.
The three researchers have posted a video demonstrating how to access the two instructions with only root/admin privileges. This requires uploading a custom UEFI to SPI flash and then rebooting the system, which definitely requires having physical access to it.
Ermolov, Sklyarov, and Goryachy are working on a disclosure paper and a full PoC. For the moment, Intel has refused to acknowledge the possibility of accessing the two hidden instructions as a vulnerability. InfoQ will continue to provide detailed reporting about this as new information will become available.