Intel patches new vulnerabilities in its Management Engine

The last year has not been Intel's best from a PC security perspective. Positive Technologies recently announced that PCs built with Intel processors going back to 2015's Skylake chips could be exploited through the computers' USB ports thanks to vulnerabilities in the CPUs' Minix-based Management Engine (ME) subsystem. The blue silicon giant has now acknowledged the problems and announced the availability of patches for motherboard and system makers to integrate into future BIOS updates.

Intel's statement indicates that "an attacker could gain unauthorized access to platform, [the] Intel ME feature, and third-party secrets protected by the Intel Management Engine, Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE)." That access could let an attacker "load and execute arbitrary code outside the visibility of the user and operating system," impersonate the ME, SPS or TXE to gain access to user data, or simply crash a system.

The company says it has reviewed and updated its Management Engine (versions 11.0 to 11.20), Server Platform Services (SPS) version 4.0, and Trusted Execution Engine version 3.0 in order to improve "firmware resilience." The list of affected products includes:

  • Sixth-, seventh-, and eight-generation Intel Core Processor family
  • Intel Xeon Processor E3-1200 v5 and v6 product family
  • Intel Xeon Processor Scalable family
  • Intel Xeon Processor W family
  • Intel Atom C3000 Processor family
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium
  • Celeron N- and J- series Processors

End users will have to wait for motherboard and system makers to integrate Intel's updates into BIOS updates in order to protect their machines. Gigabyte has announced that it has begun the work of updating its motherboard BIOS software, starting with its Z370 and Z270 boards. We expect that updates from ASRock, Asus, MSI, and others will come shortly. Intel's statement on the matter has more specific information about the nature of the security flaws. The company has a tool for Windows and Linux for users to determine if their system is vulnerable to these attacks.

This isn't the first time Intel's platform management features have given it headaches this year. Flaws in the company's Active Management Technology suite were discovered back in May. Security-focused laptop maker Purism eventually gained attention by offering its Librem series of laptops with Intel's Management Engine firmware disabled. A short time later, Google announced that it would also disable ME on its servers in an effort to prevent hackers from exploiting any flaws in the ME firmware.

Comments closed
    • webkido13
    • 2 years ago

    Great, I just finished patching all firmware of our 700 Dell machines, that were affected by the previous INTEL-SA-00075 AMT vulnerability, last week. Now I get to start over again. At least my knowledge is fresh.

    • davidbowser
    • 2 years ago

    disclaimer – I work for Google. My opinions are my own.

    Firmware level vulnerabilities are particularly tough because they are often seen by corporate IT Security Risk folks as low priority. The problem is that they are used in complex targeted attacks (spear phishing) where the initial attack vector is email or a browser vulnerability (flash maybe) and then propagated inside a company through privileged user accounts access to things like virtualization software (and thus hardware). So even when the initial attack vector is found and closed, there is a REALLY good chance that the SecOps folks won’t start patching firmware, so they can persist for a long time.

    EDIT – disclaimer added

    • willmore
    • 2 years ago

    To be clear, the bug exists in earlier versions, but Intel won’t be fixing them as they’re not under active support anymore.

    • mcarson09
    • 2 years ago

    I thought this problem went beyond skylake because it was related to the ME on the motherboard? So do we have third-party confirmation this problem doesn’t affect haswell(-e -ex) and broadwell(-e -ex)?

      • bhtooefr
      • 2 years ago

      There’s two major generations of ME – the ARC/ThreadX-based one used from the late P4/early Core 2 era through Broadwell, and the Quark/MINIX-based one used from Skylake on.

      So, Broadwell and older are safe from these specific exploits, because they use a completely different platform for their ME.

      • IGTrading
      • 2 years ago

      I remember AMD’s “AMD – The Smarter Choice” stickers from 17 years ago 🙂 …

      When it comes to security, it clearly is the smarter choice.

        • maxxcool
        • 2 years ago

        since they have their own closed execution engine designed by humans… it will also have flaws.

    • The Egg
    • 2 years ago

    It’s a good thing each vendor only has 159 motherboard variants since Skylake. I’m sure they’ll be diligent about releasing a bug-free BIOS patch for each one.

    /s

      • Ummagumma
      • 2 years ago

      Some might be about as diligent as cellphone manufacturers in releasing these updates….

        • Shobai
        • 2 years ago

        I’m on Z170; I’d be interested to see some comparative analysis on the manufacturer’s responses to this and, say, the recent KRACK vulnerability in Android et al.

      • Wirko
      • 2 years ago

      159? That was yesterday.

      • Chrispy_
      • 2 years ago

      I liked it when boards were brown.

      If DFI were still around they’d be the champions. They went bust before the gaudy RGBLED tempered glass rainbow disco era really hit us, but man – they sure were trying hard to fill today’s demands 10 years ago.

        • bhtooefr
        • 2 years ago

        Oh but they [i<]are[/i<] around still. Granted, you can't run Coffee Lake on this, but you can run Kaby Lake: [url<]http://www.dfi.com/products/product.html?productId=10102[/url<] Or if you'd prefer Micro-ATX: [url<]http://www.dfi.com/products/product.html?productId=10100[/url<]

        • BurntMyBacon
        • 2 years ago

        I had a fantastic nForce3 250GB board from DFI. My first board with uncontested (not on the PCI bus) full speed links for gigabit ethernet. Good overclocking for the Athlon64 as well. Never ran into the nVidia storage controller issues that were supposed to be a problem.

        BTW, their boards are green now.

    • MetricT
    • 2 years ago

    Intel’s ME is borked, and AMD’s TrustZone likely has similar vulnerabilities/NSL-mandated backdoors.

    Anyone know if Raspberry Pi has a similar security processor?

      • Shobai
      • 2 years ago

      “RISC-V is the future”, etc?

      • maxxcool
      • 2 years ago

      *every* single self contained bios, firmware, execution engine, tpm, drive controller, gsync, trustzone etc.. has the same vulnerability.. coded by humans who keep refusing to use proper input validation.

      • IGTrading
      • 2 years ago

      Why would AMD be “likely” the same ?! 🙂

      If AMD’s TrustZone would have 11 glaring security flaws affecting 7 years worth of hardware generation, nobody would say “Intel is likely the same” .

        • chuckula
        • 2 years ago

        Actually you are right… AMD is not likely the same.

        Intel actually made its own firmware and Intel has full control to fix the firmware if there’s a bug.

        AMD doesn’t own or control Trustzone. There’s not a single AMD employee who either has the knowledge or even the legal authorization to fix problems in Trustzone since AMD licensed it as a black box from third parties.

        So yes, it’s true the unlike Intel, AMD literally can’t fix problems in its own products.

          • IGTrading
          • 2 years ago

          I’m not a security expert, but after more than 2 decades in hardware, I’m literally amazed how Intel’s infrastructure can be so bad.

          7 years worth of Intel hardware vulnerable to not one but 11 security flaws that were outed back in Spring 2017 and 6 months later they’re not fixed ?!?!

          Also, Intel asks us to pay over 8000 USD for a Xeon processor, but not only AMD Epyc mops the floor with it, but when it comes to security AMD Epyc comes with Secure Encrypted Memory and Secure Encrypted Virtualization.

          Intel’s Xeons won’t have even remotely similar features until 2019 or later.

          So, while I re-acknowledge the fact that I’m not a security expert, I am a hardware design expert and I can definitely say I wouldn’t recommend Xeon to any client that doesn’t have a task-load that works particularly well on Intel cores.

          Based on the new features of AMD Epyc, I can safely say it is much better protected than Intel’s Xeons. Maybe a security expert can add something more than me so that we all learn.

          If I’m wrong, I’ll happily take in the information about the better/safer solution and finish the day being smarter.

            • chuckula
            • 2 years ago

            [quote<]I'm not a security expert[/quote<] See, if you had just stopped there then you might have pulled it out about how you aren't just a transparent shill who copy-n-pastes the same crap to all the same tech websites.

            • IGTrading
            • 2 years ago

            That’s only because I do own what I know and I’m proud of my career and experience 🙂

            I don’t need to hide under different IDs on other forums. I’m me and that’s ok. 😉

            • Redocbew
            • 2 years ago

            [quote<]I'm me and that's ok[/quote<] Not really. Honestly, this makes your entire outfit suspect if this is really the best idea you all have on how to promote your own agenda.

      • willmore
      • 2 years ago

      Yes, it does. The architecture of the Broadcom chip used in the raspberry pi boards is the video core runs the show. It’s the true owner of the hardware. It boots first and configures everything. It later brings up the ARM core(s).

      All memory and I/O access is controlled by the video core. The ARM core could be effectively blue-pilled by thie video core.

      There is an effort to make an open source replacement, but it’s meeting strong resistance from Broadcom. Most OSS advocates aren’t supporting it as there are better chips out there, so they see it as wasted effort. Why fix something that’s broken when there are plenty of non-broken things out there?

        • srg86
        • 2 years ago

        Why fix something that’s broken when there are plenty of non-broken things out there?

        Except most of those “non-broken” things out there are broken by GPUs that don’t have open source drivers, only proprietary blobs.

          • willmore
          • 2 years ago

          Just like the broadcom chip–but they don’t have the crazy supervisor binary blob as well.

      • BurntMyBacon
      • 2 years ago

      [quote=”MetricT”<]Intel's ME is borked, and AMD's TrustZone likely has similar vulnerabilities/NSL-mandated backdoors.[/quote<] IME and TrustZone are different technologies that do NOT share a common ancestry. They have different feature sets (though, partially overlapping) to support different goals. There is no reason to believe that the presence of vulnerabilities in one has any effect on the probability of that vulnerability being present in the other. Intel owns and develops their own hardware and firmware for their management engine. Given that Intel is an American company, there exists the possibility of mandated backdoors by American 3 letter agencies. I'll let you decide what likelihood or criticality to assign this. TrustZone is ARM IP and not AMD's to modify. ARM was a British Multinational Company (relevant because that is the state it was in when AMD licensed the technology) that is now owned by SoftBank (Japanese). I don't see American three letter agencies having as much pull here. Though, that doesn't preclude the possibility of some other country's agencies mandating some backdoor, it is unlikely that both American and Non-American agencies would settle on the same methods.

    • DancinJack
    • 2 years ago

    My Asus Maximus Gene VIII has already been updated. Props to Asus.

      • MOSFET
      • 2 years ago

      Same here with ROG Strix Z270G. “ME Update tool Intel has identified security issue that could potentially place impacted platform at risk. Use ME Update tool to update your ME. *We suggest you update ME Driver to the latest Version 11.7.0.1040 simultaneously.”

      Also noticed, while there, that Prime X370 Pro (AM4) has taken a huge leap from UEFI 1002 to 3203 with the note “Update to AGESA 1071 for new upcoming processors.”

        • Shobai
        • 2 years ago

        Most likely the desktop APUs, I suppose – I don’t think anyone’s expecting Zen Refresh until February (which is in stark contrast to the Spanish Inquisition, FWIW).

    • TheRazorsEdge
    • 2 years ago

    Too bad there is no clear, simple method for regular users to disable this “feature”.

    Most of it is either useless or could be emulated at the EFI level instead.

    I understand that OOB management features are essential for enterprise, but even then they may opt out in favor of security.

      • chuckula
      • 2 years ago

      Bear in mind that none of these bugs are remote access bugs, which are generally more serious. These bugs require you to have physical access to the machine to do bad things (typically via rogue USB devices).

      It’s still bad, but as I can tell you from the old BIOS based machines I’m retiring right now, having physical access lets you do pretty much anything you want without needing the management engine.

        • K-L-Waster
        • 2 years ago

        Largely true, but…

        It’s easier to surreptitiously slip an infected thumbdrive on a system while you’re in the building of your target than it is to fire up the BIOS and make direct changes. Yes you need physical access, but you don’t need quality private time.

          • Ummagumma
          • 2 years ago

          The infected thumbdrive method also works on uranium isotope centrifuges…..

        • kn00tcn
        • 2 years ago

        5712 says “with remote Admin access to the system”

          • willmore
          • 2 years ago

          Given that there were plenty of flaws in the earlier version of the IME remote management authentication, this leverages that to make a much worse vulnerability.

      • Chrispy_
      • 2 years ago

      Speaking as an enterprise admin whose job is to manage security, “yes, I opt out and always have done”.

      The chaps that have been protesting that Intel’s ME is vulnerable since May were at a security presentation I attended a couple of months ago. They’re based on Chiswick road, London W6 so although I don’t know them personally, they’re in spitting distance and at some of the same events I go to.

      I think I heard about this a couple of months ago and I’ve been waiting for this **** to hit the fan since then. I guess Chipzilla didn’t want to admit their fault until they had a working patch ready to roll out….

        • IGTrading
        • 2 years ago

        AMD Epyc comes with Secure Encrypted Memory and Secure Encrypted Virtualization .

        This is all good, but the more interesting part is that Intel’s Xeon won’t sport such features until at least 2019.

          • Kurlon
          • 2 years ago

          And neither of those will protect you from a Trustzone / ME style compromise.

            • chuckula
            • 2 years ago

            He saw the word “encrypted” and assumed that Encrypted == Magically Secure.

            • IGTrading
            • 2 years ago

            If it’s compromised. If 🙂

            I find it similar to a psychiatric condition when people, instead of talking about Intel’s flawed hardware/software security, they suddenly start bashing AMD that had no place in the discussion anyway and was not proven to have security flaws.

            • srg86
            • 2 years ago

            The worlds biggest if.

            • K-L-Waster
            • 2 years ago

            Uhh, everyone *was* talking about Intel’s security flaw until *you* brought AMD into the discussion….

      • helix
      • 2 years ago

      No, but there are people working on disabling as much as possible. Here is a talk about it:
      [url<]https://www.youtube.com/watch?v=iffTJ1vPCSo&list=PLbzoR-pLrL6pISWAq-1cXP4_UZAyRtesk[/url<]

Pin It on Pinterest

Share This