Thanks to an investigation by third-party researchers into Intel’s hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers.
The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).
Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code.
The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public.
Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.
Goryachy and Ermolov will present their research on an ME flaw at Blackhat in December, detailing how an attacker can run unsigned code in the microprocessor and remain invisible to the main CPU and any anti-malware software.
ME runs on its own microprocessor and, as a Google engineer recently revealed, a modified version of the MINIX operating system.
Google was so afraid of UEFI and Intel ME that it created NERF, or the Non-Extensible Reduced Firmware, which it uses to manage Chromebooks. NERF runs on a Linux kernel rather than MINIX and removes ME’s web server and IP stack, key EUFI drivers, and neuters the ability for ME and EUFI to self-reflash the firmware.
The ME engine supports Intel’s Active Management Technology (AMT), which allows admins to remotely manage and fix devices.
A flaw discovered this May in AMT, which affected chips from 2008, highlighted another problem: patching it required an ME firmware update on machines that hardware vendors had stopped supporting. Only enterprise machines with vPro were affected, but the bug prompted EFF’s demands for Intel to provide a way to disable ME.
Similarly, patching machines will depend on OEMs pushing Intel’s fixes to devices. So far, Intel only lists Lenovo as having fixes available.
To help users address the current batch of bugs, Intel has released a detection tool for Windows and Linux systems, which displays a risk assessment of the system. Intel says the bugs may affect PCs, servers, and IoT platforms.
The bugs affect systems using Intel’s 6th, 7th, and 8th Generation Core CPUs, a range of Xeon processors, as well the Apollo Lab Atom E3900 series, Apollo Lake Pentium, and Celeron N and J series chips.
Intel says the flaws would allow an attacker to “Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity”.
The attacker could also load and execute arbitrary code that would be invisible to the user and operating system.
The highest severity issue was the flaw discovered by Goryachy and Ermolov, which concerned multiple buffer overflows in the ME’s kernel. Intel’s audit found several other high-severity buffer overflows in AMT in the ME firmware, TXE, and SPS.
One of the flaws it found would allow a remote attacker to execute arbitrary code if they had Admin access.