Researchers Exploit Undocumented Intel VISA Debug Controller To Intercept System Data

It was just a few weeks ago when we told you about the SPOILER speculative attack that affects Intel processors, and now we’re learning of a new security exploit that takes advantage of the company’s Visualization of Internal Signals Architecture (VISA). The VISA exploit was detailed to the public at a Black Hat Asia 2019 session entitled Intel VISA: Through the Rabbit Hole.

9980xe with mug

First identified by Maxim Goryachy and Mark Ermolov, this latest vulnerability leverages the VISA logic signal analyzer that is incorporated into the Platform Controller Hub (PCH) found on Intel-based motherboards and in Intel processors. According to the researchers, it is capable of “monitoring the state of internal lines and buses in real time.”

The researchers explain that VISA gives access to a treasure trove of information, including:

  • Low-level access to CPU signals on the customer’s platform
  • Study of speculative execution and out-of-order
  • Reconstruction of internal architecture.

According to the researchers, the amount of data flowing through VISA (and the Management Engine) not only provides a wealth of data to researchers, but could also be exploited by nefarious parties. Crucially, accessing VISA can be done without the need to perform hardware modifications on a system.

The PCH can handle communications between the processor and external components like the display and peripherals (webcams, keyboards, mice, etc.). VISA can capture these signals, which means that any unauthorized access to a machine – perpetrated through malware, for example – could give an attacker access to a wealth of information if they can decipher the flow of information.

intel visa

Goryachy and Ermolov say that the documentation relating to VISA is under NDA and not publicly available. However, they were still able to exploit systems using publicly available mitigations accessible via the internet.

ZDNet separately reports that Intel considers this matter closed, stating that the VISA exploit, “Relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017. Customers who have applied those mitigations are protected from known vectors.”

However, Ermolov counters that Intel’s firmware can be downgraded, nullifying the protections introduced with Intel-SA-00086. For a look at how Goryachy and Ermolov compromised the ME and VISA, you can check out the pair’s presentation files right here [PDF]