Intel: We've Found Severe Bugs in Secretive Management Engine, Affecting Millions

Liam Tung, writing for ZDNet: Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code. The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

Further proof

[WoodstockJeff]

of how well "security by obscurity" works.

Re:Further proof

[zifn4b]

It works just fine until some fucking idiot blabs

It's your thinking that is "fucking idiocy". It doesn't require someone to "blab", it requires a savvy hacker to discover it and that's precisely why you shouldn't do it because it's not good security practice.

Re:Further proof

[Groo+Wanderer]

As the one who outed the 10+ year AMT bug a few months ago, Intel's ''security' policy is a joke. No it is worse than that, it is willfully malign. They know how to do the right thing but they refuse to do so for whatever reason. I have been begging them for quite literally years not to be abjectly stupid on TXT and ME security issues but they just get worse. You are seeing the tip of the iceberg, wait for the hardware issues you can't patch to be found....

              -Charlie

Re:Going out on a limb here....

[AmiMoJo]

Unfortunately you can't disable the ME. It's needed for the CPU to start up from cold. It manages the cold boot process. The best you can do is disable it after the initial boot up, but you have to trust that setting the disable flag really did what it claims to.

You can also erase all the firmware modules not related to the early boot process, but again you have to trust that the ME is lying when it says they are gone.

Re:What about older CPUs?

[networkBoy]

Actually on ME9 Intel changed the kernel. In ME6 they changed the platform layout.

* ME < 6: GMCH northbridge and southbridge. ME lived in the GMCH and had full access to RAM even in S5 (off) system state. Kernel is based on ThreadX. CPU is ARM core.
* ME 6-8, same kernel, but moved to PCH (formerly southbridge) and the CPU gined the GM part of GMCH. Northbridge removed from platforms. ME loses access to RAM in all states besides S0 (on) and has to make do with PRAM on PCH.
* ME9+: ME now runs on Minix and Quark CPU. Vulnerabilities become an issue.
* ME10: internal struggle for dominance between kernel and AMT teams (based in US and Israel respectively) leads to departures. (including mine)
* ME11 (12?): US team is disbanded.

Re:Is Intel the only one with such a thing?

[Groo+Wanderer]

Intel can't say their chips don't have a back door. They also haven't said their chips don't have a back door so at least they are honest.

AMD is working on greater disclosure and I am prodding them as hard as I can. Internally they seem to be doing the right things, or at least trying to.

ARM has their full code base published on Github. This doesn't prevent licensees from using something else, adding nefarious things etc, but I can almost guarantee most don't. You can always checksum the code if you want.

As an aside, AMD's PSP is based on ARM's stuff which is completely open source. I am fairly sure that the majority of AMD's code in this area is unchanged from the vanilla ARM version so you could consider AMD's partially open.

        -Charlie