Intel Patches Major Flaws in the Intel Management Engine
Intel has acknowledged and patched a new suite of security problems affecting its Intel Management Engine. This subsystem controls many low-level capabilities of the SoC, and can be used for features like remote access and Intel’s Trusted Execution Engine. The company has released a list of 10 vulnerabilities across multiple products that are addressed by recent driver updates. Potentially affected systems include:
- 6th, 7th & 8th Generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel® Atom® C3000 Processor Family
- Apollo Lake Intel® Atom Processor E3900 series
- Apollo Lake Intel® Pentium™
- Celeron™ N and J series Processors
That’s Intel’s entire product line dating back to the introduction of Skylake. According to Intel, attackers could impersonate the Intel Management Engine, Server Platform Services, and/or the Trusted Execution Engine, load and execute arbitrary code without the user or OS being aware of it, and destabilize or crash a system altogether.
Intel’s admission of multiple vulnerabilities is likely to raise eyebrows, given the company’s previous conduct regarding IME. Intel goes to great lengths to hide exactly how IME works and there’s no way for the main x86 chip to even snoop on what the IME is doing (the IME has previously run on an embedded 32-bit Argonaut RISC core, though it’s not clear if this is still the case). This means there’s effectively a second operating system running on every single Intel processor, and there’s no way for the user to control it or shut it off (disabling the IME on a motherboard with IME enabled will result in a non-booting system until the capability is re-enabled). While a research team did find a way to turn the function off by setting a single bit, they note that actually doing so could permanently brick a system. Also, it doesn’t work until the system has actually booted and the main CPU has started. As of this writing, Intel has not offered a safe, reliable method for anyone to disable the Intel Management Engine.
We’ve actually been finding out more about the IME in the past year than in the last half-decade. A Google software engineer recently confirmed that the system runs the MINIX 3 operating system. Google has reportedly been trying to replace proprietary firmware in its own servers, and the Intel IME has been a stumbling block to that process. Intel has released a detection tool so you can check to see if your system is affected by these issues. Updates will have to be issued by firmware vendors, however, so even if your system is impacted it may not receive a fix in the near future.