Intel fixes vulnerability found by Positive Technologies researchers in Management Engine

Intel has issued a security advisory and released a patch for a vulnerability discovered in Intel ME by Positive Technologies researchers Mark Ermolov and Maxim Goryachy. Intel has also published a downloadable detection tool so that administrators of Windows and Linux systems can determine whether their hardware is at risk.

Intel Management Engine is a proprietary dedicated microcontroller integrated into the Platform Controller Hub (PCH) with a set of built-in peripherals. Since the PCH is the conduit for almost all communication between the CPU and external devices, Intel ME has access to practically all data on the computer. The researchers found a flaw that allows running unsigned code on the PCH on any chipset for Skylake processors and later.

For example, attackers could target computers with a vulnerable version of Intel ME in order to implant malware (such as spyware) in the Intel ME code. This would be invisible to most traditional protection methods, since the malware is running on its own microprocessor—one separate from the CPU, which is used to run most operating systems and security software. Because the malware would not visibly impact performance, victims may not even suspect the presence of spyware that is resistant both to OS reinstalls and BIOS updates.

The Intel security advisory gives a full list of vulnerable processors:

  • 6th, 7th & 8th generation Intel Core processor family
  • Intel Xeon Processor E3-1200 v5 & v6 product family
  • Intel Xeon Processor Scalable family
  • Intel Xeon Processor W family
  • Intel Atom C3000 processor family
  • Apollo Lake Intel Atom Processor E3900 series
  • Apollo Lake Intel Pentium
  • Celeron N and J series processors

Maxim Goryachy, one of the Positive Technologies’ researchers, described the situation as follows: “Intel ME is at the core of an enormous number of devices worldwide. This is why it was so important to test its security. This subsystem sits below the OS and has access to a huge range of data. An attacker could use this privileged access to evade detection by traditional protection tools, such as antivirus software. Our close partnership with Intel was aimed at responsible disclosure, as part of which Intel has taken preventive measures, such as creating a detection tool to identify affected systems. We recommend reading the Intel security advisory for full details. We plan to present this vulnerability in greater detail in an upcoming talk at Black Hat Europe.”