There’s system security vulnerabilities -- stuff happens -- and then there’s Intel firmware flaws, a whole other league of serious. For the second time in six months, Intel has patched its remote management technologies, this time prodded by bugs reported to the chip maker by Positive Technologies’ security researchers Mark Ermolov and Maxim Goryachy.
Actually, security watchdogs have been red-flagging the remote administration subsystem Management Engine (ME) for years, warning that its privileged level of access makes too juicy a target for hackers to pass up. The feature allows admins to control devices remotely but a compromised ME could yield full control of a system to attackers, including bypassing security along with free reign to ignite malware without detection.
On Monday, Intel took heed, posting a security advisory that listed eight new bugs in ME and the associated Server Platform Services (SPS) and Trusted Execution Engine (TXE) functions. Intel also offered a downloadable detection tool for users and administrators to analyze systems for ME vulnerabilities. Specifically, computers using ME firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS firmware version 4.0, and TXE version 3.0 are at risk, Intel said.
“In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel Management Engine, Intel Trusted Execution Engine, and Intel Server Platform Services with the objective of enhancing firmware resilience,” the chip maker said in the alert. “As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk.”
There's more to it than that -- the bug spectrum spans most every recent Intel chip, impacting millions of PCs, servers and devices. See here for the list. There’s something else to consider: Although Intel is maintaining a running list of available firmware updates it’s the hardware OEMs that have to push them out. Obviously, there’s no certainty that will happen -- don’t hold your breath on a wide scale event -- leaving consumer PCs particularly vulnerable. So far, Lenovo and Dell have posted support information.
"These updates are available now," Intel told Wired in a statement. "Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible."
Goryachy, who will present Positive's findings along with Ermolov at Black Hat Europe next month in London, said they felt it was important to "assess the security status" of Intel ME because it is at the "heart of a vast number of devices worldwide." The subsystem "sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB. Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus."
The two researchers said they worked with Intel to "ensure responsible disclosure" and praised the chip maker for being "very proactive" to quickly develop a detection tool.
Other security pros pointed to the importance of limiting administrative rights. “From hardware to software, admin accounts with wide-ranging privilege rights present a large attack surface,” said James Maude, senior security engineer at Avecto, a privilege management specialist.
“Controlling privilege isn’t difficult to do, but it is key to securing systems. It’s time for both enterprises and individual users to realize that they can’t rely solely on inbuilt security – they must also have robust security procedures in place," he said. “With modern systems, we need to consider the full stack and ensure that privilege management and patching is implemented from the hardware upwards."
At this point, it's unclear how serious are the ME bugs, Filippo Valsorda, a cryptography engineer and researcher, told Wired. “Intel seems worried enough to publish detection tools and do a well-orchestrated release," he said. (Side note: Valsorda tweeted “Holy mother of all vulnerabilities” when Intel released the security alert, suggesting he thinks it could be a pretty big deal.)