Intel ME Flaws Not Perfectly Fixed: Gives Attackers “God Mode” on a Vulnerable Machine
Hacking events are always thrilling to follow because they usually end up giving us a better clue of how secure the services and products we use actually are. During a presentation at Black Hat Europe, security researchers talked about the much hyped Intel Management Engine issues. While the chipmaker released a firmware update last month potentially fixing the problems, researchers have presented a darker picture, suggesting that they may not have been permanently patched, after all.
"Hacking a turned off computer and running unsigned code in Intel Management Engine"
Researchers from Positive Technologies, Mark Ermolov and Maxim Goryachy, discovered several issues in Intel's secretive Management Engine 11. The Intel Management Engine, a coprocessor that powers the company's remote administrative features, has long been at the center of controversies thanks to how it's designed to access almost all of the data and processes of the main system. While Intel may have given this "God mode" access to make life easier for admins to manage fleets of machines, it also enabled attackers to do the same without the affected victim ever knowing about it due to how ME is designed to be independent of the primary operating system.
When Positive Tech researchers helped Intel patch these flaws, the chipmaker had said that using these an attacker could hide deep inside a machine, controlling its processes and data. They have now added that using a stack buffer overflow bug that plagues Intel ME 11 system since 2015, attackers could still run unsigned code.
Researchers add that the chips remain vulnerable to these issues despite Intel's fixes since an attacker would just need to "convert a machine to a vulnerable version of Management Engine" to be able to exploit these security vulnerabilities, Dark Reading reports. The fix may fail to protect against the bugs tracked as CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
They warned that attackers could use a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11 regardless of it having being turned off. These vulnerabilities, researchers wrote, that "have been patched by Intel through its latest firmware release" still enable an attacker to "downgrade to an older, vulnerable version of Management Engine and exploit a vulnerability that way" if they have write access to the Management Engine region.
"Unfortunately, it's not possible to completely defend against this [buffer overflow] flaw" in the Intel Management Engine."
"Writing an older version of the ME firmware typically requires either writing to the flash chip directly or taking advantage of weak BIOS protections, which would depend on the vendor's particular configuration."
While it does require local access to the machine or credentials to access it, it raises fresh concerns of remote attacks. Researchers warned that "given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable".
In the aftermath of Intel's fixes for ME and its acknowledgement that the Management Engine was indeed insecure, at least three OEMs decided to put a stop to Management Engine in their own machines. Researchers believe that right now the only way out is for OEMs to turn off the manufacturer mode of the chip to "make sure that a local vector attack is not possible".