Major Intel ME Firmware Flaw Allows Attackers Get ‘God Mode’ On A Vulnerable Machine
In a recent presentation held at Black Hat Europe in London, security researchers from Positive Technologies, Mark Ermolov and Maxim Goryachy revealed how a buffer overflow they discovered in the Intel’s secret Management Engine 11’s firmware can be exploited by sophisticated attackers to gain unauthorized access to ME functionality even when it’s turned ‘off.’
Although, the chipmaker released a firmware update last month that likely fixed the problems, but the researchers claim that the vendor patches for the vulnerability may not be enough to have permanently fixed the problems.
For those unaware, Intel Management Engine (ME) which resides in the Platform Controller Hub, is a coprocessor that powers the company’s remote administrative features and has its own OS, MINIX 3, a Unix-like operating system. Designed to monitor your computer, it has access to almost all of the data and processes of the main system.
Last month, four vulnerabilities were discovered by Ermolov and Goryachy from Positive Technologies that affected Intel ME firmware versions 11.0 through 11.20. Two were found in earlier versions of ME, as well as two in Server Platform Services (SES) version 4.0 firmware and two in Trusted Execution Engine (TXE) version 3.0.
According to the researchers, an attacker would need physical, local access to a victim’s machine to carry out the hack, which would give him or her so-called “God mode” control over the system and run arbitrary code on affected hardware that wouldn’t be visible to the user or the main operating system.
Following warnings from security researchers, the chipmaker completed a security audit to identify and explore potential vulnerabilities affecting the ME. In an accompanying advisory to its users on November 20, Intel had said: “In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of the following with the objective of enhancing firmware resilience:
- Intel Management Engine (Intel ME);
- Intel Trusted Execution Engine (Intel TXE);
- Intel Server Platform Services (SPS).
“Intel has identified security vulnerabilities that could potentially impact certain PCs, servers, and IoT platforms. Systems using Intel ME Firmware versions 11.0.0 through 11.7.0, SPS Firmware version 4.0, and TXE version 3.0 are impacted.
“To determine if the identified vulnerabilities impact your system, download and run the Intel-SA-00086 Detection tool. Contact your system manufacturer to obtain updates for impacted systems.”
Although Positive Tech researchers helped Intel patch these flaws, Ermolov and Goryachy argue that the fix doesn’t prevent an attacker from using other flaws for the attack that Intel also patched in the recent ME update, as an attacker would just need to “convert a machine to a vulnerable version of Management Engine” to be able to exploit the bugs. This includes buffer overflows in the ME kernel (CVE-2017-5705), the Intel SES Firmware kernel (CVE-2017-5706), and the Intel TXE Firmware kernel (CVE-2017-5707) that are plaguing Intel ME 11 system since 2015, reports Dark Reading.
The researchers found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11 regardless of it having being turned off or protected by security software.
“If an attacker has write access to the Management Engine region, they can downgrade to an older, vulnerable version of Management Engine and exploit a vulnerability that way,” Goryachy told Dark Reading.
“Unfortunately, it’s not possible to completely defend against this [buffer overflow] flaw” in the Intel ME” he says.
Although the vulnerabilities does require local access to an affected machine or the credentials to access it, it does raise concerns regarding possibility of remote attacks. Researchers warned that “given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable. Such a problem is very hard to resolve – requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.”
When questioned whether Intel has any plans to change the way its Management Engine works or to offer chips without the ME, a company spokesperson recommended that such requests should be directed to hardware vendors.
“The Management Engine (ME) provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management,” the spokesperson said.
“System owners with specialized requirements should contact the equipment manufacturers for this type of request. However, since any such configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.”