The last year has not been Intel's best from a PC security perspective. Positive Technologies recently announced that PCs built with Intel processors going back to 2015's Skylake chips could be exploited through the computers' USB ports thanks to vulnerabilities in the CPUs' Minix-based Management Engine (ME) subsystem. The blue silicon giant has now acknowledged the problems and announced the availability of patches for motherboard and system makers to integrate into future BIOS updates.
Intel's statement indicates that "an attacker could gain unauthorized access to platform, [the] Intel ME feature, and third-party secrets protected by the Intel Management Engine, Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE)." That access could let an attacker "load and execute arbitrary code outside the visibility of the user and operating system," impersonate the ME, SPS or TXE to gain access to user data, or simply crash a system.
The company says it has reviewed and updated its Management Engine (versions 11.0 to 11.20), Server Platform Services (SPS) version 4.0, and Trusted Execution Engine version 3.0 in order to improve "firmware resilience." The list of affected products includes:
- Sixth-, seventh-, and eight-generation Intel Core Processor family
- Intel Xeon Processor E3-1200 v5 and v6 product family
- Intel Xeon Processor Scalable family
- Intel Xeon Processor W family
- Intel Atom C3000 Processor family
- Apollo Lake Intel Atom Processor E3900 series
- Apollo Lake Intel Pentium
- Celeron N- and J- series Processors
End users will have to wait for motherboard and system makers to integrate Intel's updates into BIOS updates in order to protect their machines. Gigabyte has announced that it has begun the work of updating its motherboard BIOS software, starting with its Z370 and Z270 boards. We expect that updates from ASRock, Asus, MSI, and others will come shortly. Intel's statement on the matter has more specific information about the nature of the security flaws. The company has a tool for Windows and Linux for users to determine if their system is vulnerable to these attacks.
This isn't the first time Intel's platform management features have given it headaches this year. Flaws in the company's Active Management Technology suite were discovered back in May. Security-focused laptop maker Purism eventually gained attention by offering its Librem series of laptops with Intel's Management Engine firmware disabled. A short time later, Google announced that it would also disable ME on its servers in an effort to prevent hackers from exploiting any flaws in the ME firmware.