Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions (zdnet.com)

Posted by msmash on from the security-woes dept.

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

19 of 207 comments (clear)

  1. Further proof by WoodstockJeff · · Score: 5, Insightful

    of how well "security by obscurity" works.

    1. Re:Further proof by zifn4b · · Score: 5, Insightful

      It works just fine until some fucking idiot blabs

      It's your thinking that is "fucking idiocy". It doesn't require someone to "blab", it requires a savvy hacker to discover it and that's precisely why you shouldn't do it because it's not good security practice.

      --
      We'll make great pets
    2. Re:Further proof by DontBeAMoran · · Score: 4, Funny

      My house lacking a fucking door worked fine until some jackass thief noticed the lack of door.

      --
      #DeleteFacebook
    3. Re: Further proof by DontBeAMoran · · Score: 4, Insightful

      When most people say "Security by obscurity" they mean "there's no door in the fucking doorway", not "there's a lock that can be picked on the door in the fucking doorway".

      --
      #DeleteFacebook
    4. Re:Further proof by Aaden42 · · Score: 4, Insightful

      The only people who think they're idiots for blabbing are the hackers and governments (what's the difference again? I keep forgetting.) who have been exploiting these bugs/back doors to their own gain. Just because you're just hearing about the bugs doesn't mean they haven't been known and used by others for years.

    5. Re: Further proof by gweihir · · Score: 3, Insightful

      Credentials, crypto-keys, etc. are explicitly _not_ "security by obscurity". You just demonstrated extreme incompetence.

      Look up "Kerckhoffs's principle" some time to at least get a minimal clue.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re: Further proof by Ashtead · · Score: 3, Insightful

      This ME thing is like a door on the back of the house. It is painted so as to not be easy to tell apart from the wall, but it is not impossible to discover. And it even has a lock, with a key that has a funny and strange shape.

      And this backdoor is present on every house on the street. And although the key is of an obscure and not readily available design, it is the same one for all these houses. So once you find out how to open up one of these doors, opening any of the others on all the neighbors' houses from the same manufacturer iis easy, with the knowledge of the design of this key.

      Some other houses may have been made by a different manufacturer. Some of these have similar doors with a different key that works on all of them, in much the same way. Then there are still a number of houses that are either too old, or made by a manufacturer that doesn't include this back door.

      Point is, once the presence and nature of the back-door and its lock are known, the house is wide open, and security by obscurity has failed.

      --
      SIGBUS @ NO-07.308
    7. Re:Further proof by Groo+Wanderer · · Score: 5, Informative

      As the one who outed the 10+ year AMT bug a few months ago, Intel's ''security' policy is a joke. No it is worse than that, it is willfully malign. They know how to do the right thing but they refuse to do so for whatever reason. I have been begging them for quite literally years not to be abjectly stupid on TXT and ME security issues but they just get worse. You are seeing the tip of the iceberg, wait for the hardware issues you can't patch to be found....

                    -Charlie

    8. Re:Further proof by MangoCats · · Score: 3, Insightful

      But, are you privy to the government deals which have been brokered to leave these flaws in the mass market chips?

      Oftentimes, willfully malign is a signpost for covertly compensated.

  2. ugh... by Anonymous Coward · · Score: 4, Funny

    I want my C64 back. I want hardware I can understand and software I can control. Fuck this modern bloated 4 gigabyte web browser tab horseshit with thousands of people mashing their keyboards randomly and millions more observing my private data.

  3. Going out on a limb here.... by Luthair · · Score: 3, Insightful

    Going out on a limb here.... while Intel claims the problems affect the 6th, 7th, and 8th gen processors, I bet they probably didn't bother testing or auditing earlier systems. Hasn't ME been around much longer than that?

    Really, this ought to be factory disabled by OEMs and only shipped enabled to large corporate customers.

    1. Re:Going out on a limb here.... by AmiMoJo · · Score: 5, Interesting

      Unfortunately you can't disable the ME. It's needed for the CPU to start up from cold. It manages the cold boot process. The best you can do is disable it after the initial boot up, but you have to trust that setting the disable flag really did what it claims to.

      You can also erase all the firmware modules not related to the early boot process, but again you have to trust that the ME is lying when it says they are gone.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Going out on a limb here.... by thegarbz · · Score: 3, Informative

      Yes. Everything after about 2006 does to varying extent.

  4. Let me guess... by jonr · · Score: 3, Insightful

    ...and very difficult to patch?

  5. Re:What about older CPUs? by networkBoy · · Score: 5, Interesting

    Actually on ME9 Intel changed the kernel. In ME6 they changed the platform layout.

    * ME < 6: GMCH northbridge and southbridge. ME lived in the GMCH and had full access to RAM even in S5 (off) system state. Kernel is based on ThreadX. CPU is ARM core.
    * ME 6-8, same kernel, but moved to PCH (formerly southbridge) and the CPU gined the GM part of GMCH. Northbridge removed from platforms. ME loses access to RAM in all states besides S0 (on) and has to make do with PRAM on PCH.
    * ME9+: ME now runs on Minix and Quark CPU. Vulnerabilities become an issue.
    * ME10: internal struggle for dominance between kernel and AMT teams (based in US and Israel respectively) leads to departures. (including mine)
    * ME11 (12?): US team is disbanded.

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  6. Re:local only though... by cfalcon · · Score: 3, Interesting

    > I do not like the ME, but at least this is local acess exploit only

    It's still fucked up.

    The previous ME flaw involved gaining remote access illegitimately. This one involves being able to inject stuff into the super ultra privileged secret area that operating systems can't see or guard against once you have that access. And there's NO REASON to believe that this is the final bug that exists. So far it looks like chained vulns from internet down to a run level that the chip prevents the kernel from seeing.

  7. Re:local only though... by Groo+Wanderer · · Score: 3, Informative

    There have been remote attacks capable of provisioning AMT in the wild. Intel conveniently does not acknowledged them in their NDA documents about security for some reason, can calls users with AMT turned off 'safe'. Take from that what you will about their priorities when it comes to customer's security.

  8. Re:Is Intel the only one with such a thing? by infolation · · Score: 4, Interesting

    Have other chipmakers clearly and unambiguously said their chips do not have a back door mechanism?

    Yes, IBM's Power series of CPUs are fully open without any equivalent of the Management Engine.

  9. Re:Is Intel the only one with such a thing? by Groo+Wanderer · · Score: 5, Informative

    Intel can't say their chips don't have a back door. They also haven't said their chips don't have a back door so at least they are honest.

    AMD is working on greater disclosure and I am prodding them as hard as I can. Internally they seem to be doing the right things, or at least trying to.

    ARM has their full code base published on Github. This doesn't prevent licensees from using something else, adding nefarious things etc, but I can almost guarantee most don't. You can always checksum the code if you want.

    As an aside, AMD's PSP is based on ARM's stuff which is completely open source. I am fairly sure that the majority of AMD's code in this area is unchanged from the vanilla ARM version so you could consider AMD's partially open.

            -Charlie