Positive Technologies details flaw in Intel chips that could give an attacker unprecedented access to desktops, servers and IoT devices worldwide

Vulnerability allows deep-level access to the majority of information and processes in post-2015 chips from world’s largest manufacturer, even while turned off or protected by security software

London, 6th December 2017 - Positive Technologies researchers Mark Ermolov and Maxim Goryachy today outlined a flaw in the Intel Management Engine 11 at BlackHat Europe, which can give an attacker deep level access to most data and processes being run on the device. A locally exploitable buffer overflow allows an attacker to run unsigned code on any device that uses a large number of Intel chips shipped since 2015.

Details of the affected chipsets can be found on the Intel security advisory issued on November 20, which are used in everything from home and business laptops, to enterprise servers, across the world.

The vulnerability lies in the Intel Management Engine, a subsystem built into most Intel chips since 2015 to ensure system efficiency. It has it’s own OS and operates during start-up, whilst the computer is running and while the computer is asleep, carrying almost all communication between processor and external devices. This gives it access to almost all data.

The Positive Technologies research team found a vulnerability in a critical module inside the Intel ME, allowing an attacker to mitigate the built-in cryptographic and hardware protection. The module was found to be vulnerable to a stack buffer overflow, which occurs when a program is forced to write more data than it should, allowing for malicious code injection. The researchers found that it was possible to bypass stack canary protection with a generic technique, and run executable code using Return Oriented Programming. In-depth technical details of the research can be found here.

The resulting unauthorized access allows the attacker so-called ‘god mode capabilities’ - sitting at a deep level inside the machine below the operating system, controlling processes and having access to the majority of data. Enjoying such a level of access also means anyone exploiting the vulnerability would avoid traditional software-based countermeasures, and be able to carry out attacks even whilst the machine is switched off.

In order to exploit this vulnerability, an attacker would need to gain local access. This requires either physically using the device itself, or gaining the credentials necessary to enter using a remote management system, such as those used by IT admins.

Maxim Goryachy and Mark Ermolov at Positive Technologies said, “Given the massive penetration of devices with Intel chips, the potential scale for attacks is big - with laptops to enterprise IT infrastructure being vulnerable. Such a problem is very hard to resolve - requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.

“Given the potential for issues, we worked closely with Intel to ensure responsible disclosure, giving the company time to discern the best possible technical fixes and time to communicate with partners. We thank them for their co-operation.”

At the same time, researchers noted that the update released by Intel does not eliminate the possibility of exploitation of these vulnerabilities: CVE-2017-5705, CVE-2017-5706, CVE-2017-5707. Since if the attacker has write access to ME-region, they can always write a vulnerable version of ME and exploit a vulnerability in it.

More details of the technical talk given at BlackHat Europe can be found here.