Apple fixed firmware vulnerability found by Positive Technologies

The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors

Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.

Maxim Goryachy notes: "The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of firmware, write a vulnerable version of Intel ME, and exploit it to secretly gain a foothold in the device. Next, it is possible to obtain full control over the computer and spy with no chance of being detected."

Manufacturing Mode

Intel ME has Manufacturing Mode designed to be used exclusively by motherboard manufacturers. This mode provides additional opportunities, and an attacker can gain an advantage over them. The risk imposed by this mode and its impact on Intel МЕ performance was discussed by many researchers, including Positive Technologies experts (How to Become the Sole Owner of Your PC), but numerous manufacturers still do not disable this mode.

When operating in Manufacturing Mode, Intel ME allows performing a specific command, after which ME region becomes writable via the SPI controller built into the motherboard. Having a possibility to run code on the attacked system and send commands to Intel ME, the attacker can rewrite Intel ME firmware to another version, including the version vulnerable to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, and execute arbitrary code on Intel ME even if the system is patched.

This mode is enabled in MacBook, as well. Although firmware itself is additionally protected from SPI Flash region rewriting attacks (if access to any region is open, firmware does not allow OS download), researchers found an undocumented command that restarts Intel ME without the main system restart, which allows bypassing this protection. Not only Apple computers can be attacked this way.

Positive Technologies developed a special utility that checks the status of Manufacturing Mode. You can download it using this link. If the check shows that the mode is on, we recommend you to ask your computer's manufacturer for instructions on how to turn off the mode. The utility is designed for system based on Windows and Linux. Apple users only need to install the above mentioned update.

Intel Management Engine

Intel Management Engine is a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. PCH manages almost all communication between the processor and peripherals; therefore, Intel ME has access to almost all data on the computer. Researchers found a flaw that allows executing unsigned code inside PCH on any motherboard for Skylake processors and later versions.

The extent of the problem

Vulnerable Intel chipsets are used all over the world, from home and work laptops to enterprise servers. The update previously released by Intel does not prevent exploitation of vulnerabilities CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, because with write access to ME region, an attacker can write a vulnerable version of МЕ and exploit a vulnerability in it.