What we learned about Intel ME security in recent years: 7 facts about the mysterious subsystem
In the past couple of years, Intel ME technology has been under the scrutiny of researchers. This technology is surrounded by a halo of mystery - despite the fact that it has access to almost all data on a computer and its compromise allows you to seize complete control over the machine, official documentation and manuals for working with it from the manufacturer simply do not exist. Therefore, researchers from around the world have to independently understand the work of the subsystem.
We have been studying Intel ME for the last years, and this is what we have been able to learn about this mysterious subsystem at this point.
Vulnerabilities in ME make it possible to crack even a shut down computer
At the end of 2017, at the Black Hat Europe conference, Positive Technologies researchers Mark Yermolov and Maxim Goryachiy spoke about a vulnerability in the Intel Management Engine 11, which opens up an attacker access to most of the data and processes on the device. A detailed description of the problem we published in our blog on Habré .
Vulnerability in Intel ME allowed to execute arbitrary code. This compromises all technologies such as Intel Protected Audio Video Path (PAVP), Intel Platform Trust Technology (PTT or fTPM), Intel BootGuard, Intel Software Guard Extention (SGX) and many others.
You can use the JTAG debugging mechanism to intercept ME data.
Exploiting an error in the bup module, the researchers managed to turn on a mechanism called PCH red unlock, which allows full access to all PCH devices for use through the DFx chain, that is, using JTAG. One of these devices is the ME core itself. This made it possible to debug the code running on ME, read the memory of all processes and the kernel, manage all the devices inside the PCH. Calculations showed that in modern computers in the aggregate about 50 internal devices, full access to which has only ME, and the main processor only to a very limited subset of them.
This level of access also means that any attacker exploiting this vulnerability, bypassing traditional software-based protection, will be able to launch attacks even when the computer is turned off.
JTAG can be activated in the mobile version of ME
Intel TXE is a mobile version of ME. The vulnerability of INTEL-SA-00086 allows JTAG to be activated for the subsystem core. Positive Technologies researchers developed the JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. This utility can be used to activate JTAG for Intel TXE.
Subsystem can be disabled using undocumented mode.
During the study of the internal architecture of the Intel Management Engine (ME) 11th version, Maxim Goryachiy and Mark Yermolov were able to discover a mechanism that disables this technology after the hardware is initialized and the main processor is started. They found out that although it is impossible to completely disable ME on modern computers, there is an undocumented mode called High Assurance Platform (HAP) in the subsystem. The researchers were able to detect a special HAP-bit, the installation of which puts Intel ME into shutdown mode at an early stage of loading.
The name of the High Assurance Platform is a trust platform program associated with the United States National Security Agency (NSA). Online presentation availablewith the description of the program. Probably, this mechanism was introduced at the request of the US government services, which are trying to reduce the likelihood of data leakage through side channels.
ME security flaws compromised MacBook
In June of this year, Apple released updates covering a vulnerability in ME under the code CVE-2018-4251. At this time, the error was contained in the component Intel ME Manufacturing Mode - a service mode of operation, designed to configure, configure and test the final platform at the production stage. This mode allows you to set critical platform parameters stored in single write memory (FUSES). It must be disabled before the equipment is on sale and shipped to the user.
Neither this mode nor its potential risks are described in the Intel public documentation. A regular user does not have the ability to turn it off independently, since the utility for managing it from the Intel ME System Tools package is not officially available.
The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of the firmware, write down a vulnerable version of Intel ME and secretly gain a foothold on the device through its operation. In the future, he will be able to gain complete control over the computer and carry out espionage activities, without the slightest probability of being detected.
Vulnerable Intel chipsets are used all over the world, from home and work laptops to corporate servers. The previously released Intel update did not rule out the exploitation of vulnerabilities CVE-2017-5705, CVE-2017-5706 and CVE-2017-5707, since if an attacker has write access to the ME region, he can always record a vulnerable version of the ME and exploit the vulnerability in her.
Intel "patches" the same errors in ME twice
In early July, Intel released two security advisory ( SA-00112 and SA-00118 ), which described the fixes in the firmware Intel Management Engine. Both security bulletins describe errors that allow an attacker to randomly execute code on an internal PCH processor (Minute IA).
These errors are similar to those that security specialists at the company Positive Technologies discovered in November 2017 ( SA-00086 ). However, the story did not end there, and subsequently, Intel released new fixes for vulnerabilities in ME.
CVE-2018-3627, described in SA-00118, is marked in the bulletin as a logical error (this is not a buffer overflow), which leads to the execution of an arbitrary code. To exploit it, an attacker needs local access, while the vulnerability discussed in SA-00086 can be exploited locally only in case of system configuration errors made by the OEM manufacturer. This condition makes the vulnerability more dangerous.
In the case of CVE-2018-3628 (described in SA-00112), things are even worse. Vulnerability in the AMT process of the Management Engine leads to remote code execution (Remote Code Execution), and the attacker does not need to have an AMT administrator account, as in the operation of CVE-2017-5712 from SA-00086.
Intel describes this error as “Buffer Overflow in HTTP Handler”, which suggests the possibility of executing code remotely without authorization. This is the worst case scenario that all users of Intel platforms fear.
There are ways to disclose ME encryption keys
On this "adventure" Intel ME is not over. Already in the autumn, the company had to correct another mistake in the subsystem, which led to the disclosure of encryption keys in Intel ME - Positive Technologies researchers Dmitry Sklyarov and Maxim Goryachiy discovered it.
The Intel ME (Management Engine) subsystem uses MFS for storage (presumably short for ME File System). MFS security mechanisms actively use cryptographic keys. Confidentiality keys are used to ensure the secrecy of data stored in the MFS, and Integrity keys are used for integrity control. The data placed in the MFS, in order of importance, are divided into two categories, and are protected by different sets of keys. Intel keys are used for the most sensitive data, and Non-Intel keys are used for the rest. Thus, four keys are used: Intel Integrity key, Non-Intel Integrity key, Intel Confidentiality key and Non-Intel Confidentiality key.
Operation of the vulnerability discovered earlier by Mark Yermolov and Maxim Goryach makes it possible to obtain all four keys and completely compromise the security mechanisms of MFS. Intel has released an update closing this vulnerability. The value of SVN (Secure Version Number) was increased - this step should have led to the upgrade of all keys and return MFS security to the planned level. Receiving MFS keys for updated ME firmware (with a new SVN value) should be impossible.
However, in 2018, Positive Technologies researchers discovered the CVE-2018-3655 vulnerability described in the Intel-SA-00125 newsletter. The essence of the problem lies in the fact that Non-Intel keys depend on the value of SVN and the underlying unchangeable secret of the subsystem. And this secret can be obtained if you use JTAG debugging, which can be enabled using a previous vulnerability. Knowledge of the base secret of the subsystem allows you to calculate both Non-Intel keys - and all this is already in the new firmware version.
Thus, an attacker can calculate the Non-Intel Integrity key and Non-Intel Confidentiality key for the firmware with the updated SVN value, and therefore compromise those MFS security mechanisms that rely on these keys.
Not so long ago, we published a detailed analysis of the CVE-2018-4251 vulnerability in a MacBook. Now Mark Ermolov and Maxim Goryachiy at the HiTB 2018 conference will tell about how an attacker can exploit him for an attack. We will also discuss protection methods - for example, with the help of a specialized utility from our experts.