Security researchers have raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.
On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they’re exposed.
The Management Engine is an independent subsystem that lives in a separate microprocessor on Intel chipsets; it exists to allow administrators to control devices remotely for all types of functions, from applying updates to troubleshooting. And since it has extensive access to and control over the main system processors, flaws in the ME give attackers a powerful jumping-off point. Some have even called the ME an unnecessary security hazard.
Intel specifically undertook what spokesperson Agnes Kwan called a “proactive, extensive, rigorous evaluation of the product,” in light of findings that Russian firmware researchers Maxim Goryachy and Mark Ermolov will present at Black Hat Europe next month. Their work shows an exploit that can run unsigned, unverified code on newer Intel chipsets, gaining more and more control using the ME as an unchecked launch point. The researchers also play with a sinister property of the ME: It can run even when a computer is “off” (just so long as the device is plugged in), because it is on a separate microprocessor, and essentially acts as a totally separate computer.
As with previous ME bugs, nearly every recent Intel chip is impacted, affecting servers, PCs, and IoT devices. Compounding the issue: Intel can provide updates to manufacturers, but customers need to wait for hardware companies to actually push the fixes out. Intel’s maintaining a running list of available firmware updates, but so far only Lenovo has offered one up.
Intel has confirmed that those worst-case fears may be possible.
“These updates are available now,” Intel said in a statement to WIRED. “Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible.” In many cases, it could be a while before that fix becomes available.
The newly disclosed vulnerabilities can cause instability or system crashes. They can be used to impersonate the ME, Server Platform Services, and Trusted Execution Engine to erode security verifications. And Intel says they can even be used to “load and execute arbitrary code outside the visibility of the user and operating system.” This is the crucial danger of the ME. If exploited, it can operate totally separate from the main computer, meaning that many ME attacks wouldn’t raise red flags.
Still, the true impact of current ME vulnerability isn’t clear, given the relatively limited amount of information Intel has released.
“This looks bad, but we don’t yet know how easy it will be to exploit these vulnerabilities,” says Filippo Valsorda, a cryptography engineer and researcher. “It’s a really wide range of machines that are impacted, not just servers. Intel seems worried enough to publish detection tools and do a well-orchestrated release.”
The good news is that most of the vulnerabilities require local access to exploit; someone has to have hands on a device or deep in a network. Intel does note, though, that some of the new wave of vulnerabilities can be exploited remotely if an attacker has administrative privileges. And some of the bugs also potentially allow for privilege escalation, which could make it possible to start with a standard user status and work up to higher network access.
“Based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal,” Matthew Garrett, a Google security researcher, wrote on Twitter when the vulnerabilities were first announced. But he quickly added that, “on reflection I don’t see many outcomes where this is fairly harmless.”
It will take time for the full impact of these ME bugs to come into view, but for researchers who have warned about the dangers of ME for years, Intel’s fixes now are cold comfort.