Intel Patches Management Engine for Critical Vulnerabilities

Security researchers discover flaws in Intel's Management Engine that could enable attackers to run unsigned code.

Vulnerabilities

Intel issued a critical firmware update on Nov. 20 for a set of eight vulnerabilities that impact the Intel Management Engine firmware.

"In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience," Intel stated in an advisory.

The flaws were reported to Intel by security researchers Mark Ermolov and Maxim Goryachy from Positive Technologies. The two researchers plan to provide full details of the Intel ME flaws in a talk on Dec. 6 at the Black Hat Europe security conference. The researchers said they found a vulnerability in a subsystem of Intel ME versions 11 and higher.

"It allows an attacker of the machine to run unsigned code in PCH (Platform Controller Hub) on any motherboard via Skylake+," the Black Hat talk abstract states. "The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS."

The flaws impact Intel ME and the associated Intel Trusted Execution Engine (TXE) and Intel Server Platform Services (SPS). Those systems are all embedded firmware provided by Intel to help provide management and code integrity for running Intel-powered hardware.

"Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals," the Black Hat Europe abstract stated. "The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely."

The eight vulnerabilities (CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711 and CVE-2017-5712) include buffer overflow and privilege escalation flaws. To help impacted users detect if they are at risk from the vulnerabilities, Intel has released a detection tool.

This isn't the first time this year that Intel is patching its remote management technologies for security flaws. On May 1, Intel issued a critical security advisory for privilege escalation flaws impacting its Intel Active Management Technology (AMT), Intel Standard Manageability and Intel Small Business Technology management technologies.

Bob Rudis, chief data scientist at security firm Rapid7, said he was surprised by the timing of the new Intel ME vulnerability disclosure, given that this is a significant holiday week for much of the Fortune 5000 and beyond.

"Lenovo releasing firmware updates two weeks ago and the official Intel update today means that many organizations may have to pull folks away from vacations to triage and/or patch," Rudis told eWEEK. "Organizations that do nothing may be giving attackers free rein over their networks during the downtime."

Currently, the Intel ME vulnerabilities are not being actively exploited, but Rudis expects that to change in the coming days and weeks. He noted that Rapid7's Heisenberg Cloud honeypot sensor network has already detected researcher and non-researcher opportunistic scans for open Intel management ports on the internet.

"It is vital that organizations of all shapes and sizes identify and inventory vulnerable systems, work with their vendors on when they can expect patches, and then develop mitigation and patch strategies as soon as possible," Rudis said. "Any organization that does not have an isolated, segmented management network for Intel ME/AMT access should make designing such an environment a high priority, especially if they cannot patch quickly."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.