Chip Flaws: Intel Finally Releases Fixes to Management Engine Bugs That Put Millions of Devices at Risk
Intel has discovered several security vulnerabilities in its secretive Management Engine (ME), Trusted Execution Engine (TXE) and Server Platform Services (SPS) during an in-depth review. In a security advisory, the company has detailed eight vulnerabilities that impact its core CPU technologies. The firm has now released firmware updates, however, considering they could take months before reaching out to all the devices, millions of products remain exposed to attacks.
Intel ME is back in controversy, this time finally bringing some fixes to security concerns
Security researchers have long been warning about Intel ME bugs since only Intel could audit it for backdoors. Reports in August had suggested that it was possible for the company's government clients to request Intel's always-on ME 'master controller' for its CPUs to be disabled. Following months of rumors and concerns, the company finally decided to carry out an extensive security review of its products.
Some of the discovered critical vulnerabilities can be exploited to impersonate ME, SPS and TXE services, and allow attackers to install rootkits on vulnerable systems, execute arbitrary code without being detected by the user or the OS, and cause system crashes. Intel said that along with these, the Management Engine is also vulnerable to buffer overflows and other flaws that can be exploited for privilege escalation, local code execution, and remote code execution.
Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE).
Trusted Execution Engine is also vulnerable to privilege escalation and local code execution flaw, both of which have been rated as high severity vulnerabilities. Finally, SPS kernel is open to local code execution and privilege escalation.
Intel hasn't disclosed the details of these vulnerabilities considering their high severity. Intel said that systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.
Affected products include:
- 6th, 7th & 8th Generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel® Atom® C3000 Processor Family
- Apollo Lake Intel® Atom Processor E3900 series
- Apollo Lake Intel® Pentium™
- Celeron™ N and J series Processors
Considering the critical nature of these chip flaws, Intel has also shared a tool (external link) that will enable users to check if their systems are affected. The chipmaker has advised users to check with their OEMs for firmware updates. So far, only Lenovo has managed to deliver these updates.
While it will take time to learn about the full impact of these ME bugs, Mathew Garrett, a Google's security expert, talked about possible impact suggesting that the flaws are unlikely to be harmless.
So yeah on reflection I don't see many outcomes where this is fairly harmless so uh happy thanksgiving
— Matthew Garrett (@mjg59) November 20, 2017
The latest advisory follows a bug patch from the chipmaker that came earlier this year in May fixing a nine-year-old privilege escalation vulnerability. More details on the latest issues are available in this advisory.