As we’re waiting for security researchers to detail the Intel Management Engine vulnerability that can allow attackers to run undetectable, unsigned code on machines with Intel processors, the US-based chip maker has announced the release of firmware that plugs a number of potentially critical flaws in Intel Management Engine (ME), Intel Trusted Execution Engine (TXE), and Intel Server Platform Services (SPS).
What is Intel ME, TXE and SPS?
Intel Management Engine (ME) is a subsystem in many of Intel’s computer processors. It is a computer within the computer that runs independently of the computer processor, and performs tasks during boot-up, while the computer is running, and while it’s asleep.
It is meant to be used by network administrators to remotely log into servers and workstation to service them (troubleshoot problems, fix errors, etc.).
It has a CPU (x86 Quark core) and operating system (MINIX), and anything it does is not controlled by the computer’s OS, antivirus and other security solutions.
“Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform,” Positive Technologies researchers Mark Ermolov, and Maxim Goryachy recently explained.
It is considered by some security professionals to be a backdoor into the system, but until recently, it was difficult for researchers to analyze its firmware and the various executable modules that like remote out-of-band management of personal computers (Active Management Technology), and easy creation of secure cryptographic keys, and so on.
But Intel’s switch of ME to new hardware and software finally allowed them to “bring to bear all the power of binary code analysis tools” to effect firmware analysis. This is also how they found an way to disable Intel ME.
Gaining control of the ME can allow attackers to install rootkits and spyware that can secretly steal information, change files, snoop on users, and more.
By the by, Embedi researchers recently revealed the existence of an authentication error that could allow attackers to log into and administer the Active Management Technology software suite running on ME by simply entering nothing in the password field. Intel has aready plugged that hole.
Intel Trusted Execution Engine (TXE) is hardware authenticity technology that attests the authenticity of a platform and its operating system, that the OS starts in a trusted environment, and provides it with additional security capabilities.
Intel Server Platform Services (SPS) is based on ME, and allows administrators to remotely configure Intel-powered servers over the network.
The increased interest that security researchers have shown in Intel Management Engine and the number of issues they have identified and reported to the company have spurred Intel to do a comprehensive security review of the aforementioned technologies.
They’ve identified a number of flaws in each of them. Most are exploitable only by attackers with local access to vulnerable systems, but one (CVE-2017-5712) can be exploited remotely, by attackers with admin access to the system, to execute arbitrary code with AMT execution privilege.
An attacker who has managed to gain this kind of access could “impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity, load and execute arbitrary code outside the visibility of the user and operating system, and cause a system crash or system instability.”
What to do?
“Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted,” Intel shared, and released a tool for system admins and owners to analyze their systems for these vulnerabilities.
The company has also provided new firmware versions that fix these flaws to the various manufacturers who use the company’s chips in their offerings. It’s on users to contact the manufacturer of their computer(s) to get the final firmware update, signed by the manufacturers.
For now, only Lenovo has already delivered the updates.