Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

local only though...

I do not like the ME, but at least this is local acess exploit only:

would allow an attacker with local access to execute arbitrary code.

To be fair, a local attacker can pretty much always gain access to your system, ME or no ME. A simple HW keylogger is ample and most people would never notice.

So you HAVE to keep your hardware secure if you want the data ot be secure. That is still true with the ME. I will be much more worried if there is a remote exploit.

Re:local only though...

If you have a server running public services. Web server, mail server, FTP server, etc. then everyone on the public Internet has some level of "local" access. That's just the way it works. Think about it.

Re:local only though...

[cfalcon]

> I do not like the ME, but at least this is local acess exploit only

It's still fucked up.

The previous ME flaw involved gaining remote access illegitimately. This one involves being able to inject stuff into the super ultra privileged secret area that operating systems can't see or guard against once you have that access. And there's NO REASON to believe that this is the final bug that exists. So far it looks like chained vulns from internet down to a run level that the chip prevents the kernel from seeing.

Re:Going out on a limb here....

[AmiMoJo]

Unfortunately you can't disable the ME. It's needed for the CPU to start up from cold. It manages the cold boot process. The best you can do is disable it after the initial boot up, but you have to trust that setting the disable flag really did what it claims to.

You can also erase all the firmware modules not related to the early boot process, but again you have to trust that the ME is lying when it says they are gone.

Re:What about older CPUs?

[networkBoy]

Actually on ME9 Intel changed the kernel. In ME6 they changed the platform layout.

* ME < 6: GMCH northbridge and southbridge. ME lived in the GMCH and had full access to RAM even in S5 (off) system state. Kernel is based on ThreadX. CPU is ARM core.
* ME 6-8, same kernel, but moved to PCH (formerly southbridge) and the CPU gined the GM part of GMCH. Northbridge removed from platforms. ME loses access to RAM in all states besides S0 (on) and has to make do with PRAM on PCH.
* ME9+: ME now runs on Minix and Quark CPU. Vulnerabilities become an issue.
* ME10: internal struggle for dominance between kernel and AMT teams (based in US and Israel respectively) leads to departures. (including mine)
* ME11 (12?): US team is disbanded.

Re:Is Intel the only one with such a thing?

[infolation]

Have other chipmakers clearly and unambiguously said their chips do not have a back door mechanism?

Yes, IBM's Power series of CPUs are fully open without any equivalent of the Management Engine.