Intel ME vulnerability allows unsigned code execution

Positive Technologies researchers Mark Yermolov and Maxim Goryachy discovered a serious vulnerability in the Intel ME technology, with which attackers can execute unsigned code on the target machine. This leads to a complete compromise of the platform.

What is the problem

The Intel Management Engine is a closed technology that is a microcontroller integrated into the Platform Controller Hub (PCH) chip with a set of embedded peripherals. Almost all communication between the processor and external devices takes place through PCH, so Intel ME has access to almost all data on the computer. Consequently, the ability to execute third-party code allows you to completely compromise the platform.
')
Intel ME technology has been interested in researchers for quite some time, but lately even more attention has been riveted on it. One of the reasons for this is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. Using the x86 platform allows you to use the full power of binary code analysis tools.

Unfortunately, such a large-scale processing was not without errors. When studying a new subsystem in the Intel ME 11+ version, Positive Technologies researchers discovered a vulnerability that allows the execution of unsigned code inside PCH on any motherboard for processors of the Skylake family and above. In this case, the main system may remain operational, so the user may be unaware that spyware is running on his computer, resistant to reinstalling the OS and updating the BIOS. The ability to execute your own ME code opens up unlimited possibilities for researchers, since this allows at least to investigate the system over time.

What's next

Positive Technologies experts Mark Yermolov and Maxim Goryachy will talk about how to find and exploit the vulnerability, as well as circumvent the built-in protection mechanisms, during their presentation at the Black Hat Europe conference , which will be held in London from 4 to 7 December.

Previously, researchers published in our blog on Habré article on how to disable Intel ME 11 using undocumented mode .

In addition, on Thursday, October 5, at 14:00, the authors of the study will hold a free webinar, which will tell about the internal structure and features of Intel ME, minimize the risks of possible errors in its work, and describe in detail how they managed to detect the mode that disables main functions of this subsystem. The webinar will be of interest to developers of embedded systems, system programmers and information security specialists.

To participate in the webinar you need to register .