Intel fixed vulnerability in Management Engine subsystem found by Positive Technologies experts
Intel has published a security bulletin in which it announced the release of a patch to fix a vulnerability in the Intel ME subsystem, which was discovered by Positive Technologies experts Mark Ermolov and Maxim Goryachy. Intel also published a special tool to help Windows and Linux system administrators find out if their hardware is vulnerable.
Intel Management Engine is a proprietary technology that is a microcontroller integrated into the Platform Controller Hub (PCH) chip with a set of integrated peripherals. Through PCH, almost all communication between the processor and external devices is carried out, so Intel ME has access to almost all the data on the computer. Researchers managed to find an error that allows unsigned code to be executed inside PCH on any motherboard for processors of the Skylake family and higher.
For example, cybercriminals can attack computers with a vulnerable version of Intel ME using this security error and potentially set “bookmarks” in the Intel ME code (for example, spyware) that most traditional security tools will not detect. Because In this case, the “bookmark” will function on a separate chip, and not on the CPU, on which most of the OS and traditional security tools work.
At the same time, the main system may remain operational, so the user may not suspect that spyware that is resistant to reinstalling the OS and updating the BIOS is functioning on his computer.
The Intel Security Bulletin provides a complete list of vulnerable processors:
- Intel Core generations 6, 7 and 8;
- Intel Xeon E3-1200 v5 and v6;
- Intel Xeon Scalable
- Intel Xeon W;
- Intel Atom C3000;
- Apollo Lake Intel Atom E3900;
- Apollo Lake Intel Pentium;
- Celeron N and J Series Chips
As Maxim Goryachy explained, “Intel ME is the main component of a huge number of devices around the world. That is why we considered it necessary to assess the degree of its security. This module sits deep under the OS and allows you to see an extensive range of data. An attacker can take advantage of this privileged access level to carry out attacks that are hidden from the attention of traditional protection methods such as anti-virus software. Our close collaboration with Intel was aimed at responsible disclosure, and Intel took preventative measures and developed a tool to determine if the system is vulnerable. This is described in detail on the Intel website. "
Positive Technologies experts will provide details about the vulnerability in Intel ME at the Black Hat Europe conference, which will be held in London from December 4 to 7. Also at the Chaos Communication Congress (34C3) conference, which will be held in late December in Leipzig, Germany, researchers will talk about how they managed to activate hardware debugging (JTAG) for the Intel Management Engine, which allows full access to all PCH devices (Platform Controller Hub).
Mark Ermolov and Maxim Goryachy talked about the internal structure and features of Intel ME, minimizing the risks of possible errors in its operation during the Positive Technologies webinar. In addition, experts described in detail how they managed to detect a mode that disables the main functions of this subsystem. The recording and slides of this presentation are available here .