Intel has released fixes for new ME firmware vulnerabilities
In early July, Intel released two security advisory ( SA-00112 and SA-00118 ), which described the fixes in the firmware Intel Management Engine. Both security bulletins describe errors that allow an attacker to randomly execute code on an internal PCH processor (Minute IA).
These errors are similar to those found by security specialists from the company Positive Technologies in November last year ( SA-00086 ). However, the story did not end there, and now Intel has released new fixes for vulnerabilities in ME.
CVE-2018-3627, described in SA-00118, is marked in the bulletin as a logical error (this is not a buffer overflow), which leads to the execution of an arbitrary code. To exploit it, an attacker needs local access, while the vulnerability discussed in SA-00086 can be exploited locally only in case of system configuration errors made by the OEM manufacturer. This condition makes the vulnerability more dangerous.
In the case of CVE-2018-3628 (described in SA-00112), things are even worse. Vulnerability in the AMT process of the Management Engine leads to remote code execution (Remote Code Execution), and the attacker does not need to have an AMT administrator account, as in the operation of CVE-2017-5712 from SA-00086.
Intel describes this error as “Buffer Overflow in HTTP Handler”, which suggests the possibility of executing code remotely without authorization. This is the worst case scenario that all users of Intel platforms fear. This error is similar to the acclaimed CVE-2017-5689 , found in May 2017 by Embedi, but with much more serious consequences.
At least, the fact that for CVE-2018-3628 Intel reports about the possibility of operating only from the local subnet can alleviate the situation.
Positive Technologies experts plan in the future to conduct a more detailed study of these errors. It is noteworthy that Intel indicated the same firmware versions as for SA-00086 with recommendations for fixing vulnerabilities. It is possible that these errors were found in the security review process of the Intel ME code as part of SA-00086, but Intel decided to publish them later in order to smooth out the negative effect of the number of critical errors in SA-00086.
Other Positive Technologies security materials on Intel ME:
- How to hack a turned off computer or execute code in Intel ME
- Intel has removed a vulnerability in the Management Engine subsystem found by Positive Technologies experts
- Intel ME vulnerability allows unsigned code execution
- Turn off Intel ME 11 using undocumented mode
- We struggle with remote control: how to disable Intel ME