Apple's computers closed the firmware vulnerability found by Positive Technologies experts
Image: Unsplash The
fixed vulnerability allowed to exploit a dangerous error in the Intel Management Engine subsystem and may still be present in devices from other vendors using Intel processors.
Apple has released an update for macOS High Sierra 10.13.4, which eliminates a vulnerability in PC firmware ( CVE-2018-4251 ), discovered by Positive Technologies experts Maxim Goryach and Mark Yermolov. Detailed information on this is available on the Apple support site .
This is how Maxim Goryachiy describes the problem: “The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of the firmware, write down a vulnerable version of Intel ME and, through its operation, secretly gain a foothold on the device. In the future, he will be able to gain complete control over the computer and carry out espionage activities, without the slightest probability of being detected. ”
About Manufacturing Mode
Intel ME has a special mode of operation - the so-called Manufacturing Mode, which is designed for use exclusively by motherboard manufacturers. This mode provides additional features that an attacker can use. About the danger of the regime and its influence on the Intel ME work already said the researchers, including our company ( How to Become the Sole Owner of Your the PC ), but many manufacturers still do not turn off this mode.
Being in the Manufacturing Mode, Intel ME allows you to execute a special command, after which the ME-region becomes available for recording via the SPI controller integrated into the motherboard. Having the ability to run code on the attacked system and send commands to Intel ME, an attacker can overwrite the Intel ME firmware , including the version vulnerable for CVE-2017-5705, CVE-2017-5706 and CVE-2017-5707 , and thus execute arbitrary code on Intel ME even on systems with a patch installed.
It turned out that in the MacBook, this mode is also included. Although the firmware itself provides additional protection against an attack on overwriting SPI Flash regions (if access to any region is open, the firmware does not allow the OS to load), the researchers found an undocumented command that restarts Intel ME without restarting the main system, which made it possible circumvention of this protection. It is worth noting that a similar attack can be carried out not only on Apple computers.
Positive Technologies have developed a special utility that allows you to check the status of the Manufacturing Mode. Download it at this link.. If the test result indicates that the mode is enabled, we recommend that you contact the manufacturer of your computer for instructions on how to turn it off. The utility is designed for Windows and Linux, since users of Apple computers just need to install the above update.
About the Intel Management Engine
The Intel Management Engine is a microcontroller integrated into the Platform Controller Hub (PCH) chip with a set of embedded peripherals. Almost all communication between the processor and external devices takes place through PCH, so Intel ME has access to almost all data on the computer. The researchers managed to find an error that allows the execution of unsigned code inside PCH on any motherboard for processors of the Skylake family and above.
About the scale of the problem
Vulnerable Intel chipsets are used all over the world, from home and work laptops to corporate servers. The previously released Intel update did not exclude the possibility of exploiting CVE-2017-5705, CVE-2017-5706 and CVE-2017-5707 vulnerabilities, since if an attacker has write access to the ME region, he can always record a vulnerable version of the ME and exploit the vulnerability in her.