Intel has removed a vulnerability in the Management Engine subsystem found by Positive Technologies experts

Intel has published a security bulletin , which announced the release of a patch to eliminate the vulnerability in the Intel ME subsystem, which was discovered by Positive Technologies experts Mark Yermolov and Maxim Goryach. Also, Intel has published a special tool that will help Windows and Linux system administrators find out if their hardware is vulnerable.

The Intel Management Engine is a closed technology that is a microcontroller integrated into the Platform Controller Hub (PCH) chip with a set of embedded peripherals. Almost all communication between the processor and external devices takes place through PCH, so Intel ME has access to almost all data on the computer. The researchers managed to find an error that allows the execution of unsigned code inside PCH on any motherboard for processors of the Skylake family and above.
')
For example, attackers could attack computers with a vulnerable version of Intel ME using this security bug and potentially install “bookmarks” (for example, spyware) in the Intel ME code that most traditional security tools will not detect. Since In this case, the “tab” will function on a separate chip, and not on the CPU, on which most operating systems and traditional security tools work.

In this case, the main system may remain operational, so the user may be unaware that spyware is running on his computer, resistant to reinstalling the OS and updating the BIOS.

The Intel Security Bulletin provides a complete list of vulnerable processors:

• Intel Core generations 6, 7 and 8;
• Intel Xeon E3-1200 v5 and v6;
• Intel Xeon Scalable;
• Intel Xeon W;
• Intel Atom C3000;
• Apollo Lake Intel Atom E3900;
• Apollo Lake Intel Pentium;
• Celeron N and J chips

As Maxim Goryachiy explained, “the Intel ME module is the main component of a huge number of devices around the world. That is why we found it necessary to assess the degree of its security. This module sits deep under the OS and allows you to see a vast range of data. An attacker can use this privileged level of access to conduct attacks that are hidden from the attention of traditional methods of protection, such as antivirus software. Our close collaboration with Intel focused on responsible disclosure, and Intel took preventive measures and developed a tool to determine if the system is vulnerable. This is described in detail on the Intel website. ”

Positive Technologies experts will tell the details about the vulnerability in Intel ME at the Black Hat Europe conference, which will be held in London from December 4 to 7. Also at the conference Chaos Communication Congress (34C3), which will be held in late December in Leipzig, Germany, the researchers will talk about how they managed to activate hardware debugging (JTAG) for the Intel Management Engine, which allows you to get full access to all PCH devices (Platform Controller Hub).


Mark Yermolov and Maxim Goryachiy told about the internal structure and features of Intel ME work, minimizing the risks of possible errors in its work during the Positive Technologies webinar. In addition, the experts described in detail how they managed to find a mode that disables the main functions of this subsystem. Record and slides of this presentation are available here .