Intel Fixes Yet Another Flaw In Management Engine


It was starting to feel like Intel was overdue for serious Management Engine (ME) vulnerabilities. But this week, researchers at Positive Technologies revealed a new security flaw in the subsystem that could let attackers compromise its MFS file system. Intel has released updates to address the problem, though, so Intel CPU owners should make sure their firmware is up-to-date.

ME has become a repeated source of problems for Intel and its customers. The utility is a chip-on-a-chip that allows IT managers to remotely access company PCs with tools like Intel's Active Management Technology (AMT). ME has its own network interface, memory, operating system and file system (MFS) that are kept separate from the main system in a bid to prevent it from allowing hackers to access ostensibly secure information.

The problem is that researchers have discovered numerous vulnerabilities in ME over the last few years; Positive Technologies revealed one in 2017 that allowed full takeover of ME via USB (it's since been fixed). Now, it's revealed another one that allows someone with physical access to a system to compromise ME and "manipulate the state of MFS and extract important secrets" with the ability to "add files, delete files and change their protection attributes."

Positive Technologies said the attack can be used to learn four keys MFS uses to secure data-- the Intel Integrity Key, Non-Intel Integrity Key, Intel Confidentiality Key and Non-Intel Confidentiality Key--that were supposed to be protected via a firmware update Intel released in 2017. Positive Technologies explained how someone with physical access to the system could bypass that patch to compromise those keys in its blog post:

"Positive Technologies expert Dmitry Sklyarov discovered vulnerability CVE-2018-3655, described in advisory Intel-SA-00125. He found that Non-Intel Keys are derived from two values: the SVN and the immutable non-Intel root secret, which is unique to each platform. By using an earlier vulnerability to enable the JTAG debugger, it was possible to obtain the latter value. Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version. ... Attackers could calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value and therefore compromise the MFS security mechanisms that rely on these keys."

Intel released the Intel-SA-00125 firmware update to defend against this vulnerability on September 11. But this is another point in favor of companies questioning--or outright banning--the use of ME in their systems. Purism avoids ME and the services it enables in its privacy-focused Librem notebooks, Google is working to remove ME from the Intel processors it uses and previous security flaws have raised concerns among consumers. 

Just like the boom in speculative execution flaw discoveries that kicked off with Meltdown and Spectre, the discovery of these problems is likely to encourage researchers to seek out similar flaws in Intel's processors. (Other processors have vulnerabilities too, of course, but Intel gets more scrutiny because its CPUs are so popular.) Chances are good that more vulnerabilities will be found in ME and similar tools in the not-too-distant future.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Kaz_2_
    completely fix the problem or partial?
    Reply
  • alan_rave
    They have fixed it, but guess we will see more vulnerabilities. Totally save is when the pc is off)
    Reply
  • stevewood963
    These processors and chipsets defective from the beginning and should have been replaced by intel. Eventually their will probably be a class action suit because they were sold a new and without flaws. I will never buy a intel chip or chipset again because of this.
    Reply
  • redgarl
    It is a patch... something else will show up.
    Reply
  • Whenever I read about another vulnerability in Intel's ME I ask myself. Why is it enabled in products for regular users. I don't need it. It's for administrators. Even if the possibility of my system being affected is remote, why bother selling a bucket that has a hole in it. Just disable it. It's not like processor manufacturers are strangers to such practice.
    Reply
  • Peter Martin
    Yeah and I bet it’s all the stuff causing all the stuttering in games and whatnot. Crap NSA backed design. I’ll never buy an Intel product ever
    Reply
  • deadsmiley
    Intel hasn't "fixed" Spectre yet. They just enabled a flag that can be turned on to prevent the attack, but it slows down the PC. Enabling the flag is completely optional. Look for Linus Torvald's rant about that.
    Reply
  • WINTERLORD
    i read this article to bad it didnt include a link in the article for convince. done updates before and many but for some reason had a hell of a time finding this update
    Reply
  • pdxitgirl
    STEVEWOOD963 said:
    "These processors and chipsets defective from the beginning and should have been replaced by intel. Eventually their will probably be a class action suit because they were sold a new and without flaws. I will never buy a intel chip or chipset again because of this."

    What planet are you from!?! a) They don't recall for things like this, they patch; b) NO product or service is sold "without flaws" (new has nothing to do with it), and any user agreement states that this should never be assumed; c) No class action would ever be considered on something like this, when it can just be patched or disabled; and d) ALL processor manufacturers, like anything else, have vulnerabilities, AMD included.

    This product isn't "defective," it has a *potential* security flaw. Previous Management Engine flaws were addressed, and Intel gave the option to disable it altogether. Even so, standard NAT firewalls prevent this engine from being exposed to the outside world so it really doesn't matter for the average consumer.

    Good luck ever finding a technological device without flaws or vulnerabilities!


    T.S.WIACEK said:
    "Whenever I read about another vulnerability in Intel's ME I ask myself. Why is it enabled in products for regular users. I don't need it. It's for administrators. Even if the possibility of my system being affected is remote, why bother selling a bucket that has a hole in it. Just disable it. It's not like processor manufacturers are strangers to such practice."

    Intel CPUs are used in all sorts of products, often in a business environment. These types of management interfaces are in most modern processors, whether you as a consumer would use it, or not. And yes, usually Intel offers the ability to disable it altogether (a requirement, if I'm not mistaken, given by the NSA). But they aren't going to just "not sell it" because a theoretical vulnerability was discovered, one that has never been seen in the wild and is enormously unlikely to ever be exploited.

    And no, IT is NOT just "for administrators." You do IT yourself whenever you manage your own computer. And they don't just redesign their products simply because you're a home user and won't make use of all the features. Believe it or not, some home users DO make use of these things.
    Reply
  • pdxitgirl
    WINTERLORD said:
    "i read this article to bad it didnt include a link in the article for convince. done updates before and many but for some reason had a hell of a time finding this update"

    Don't even worry about it. This, like the other Management Engine vulnerability, and the overhyped Spectre and Meltdown vulnerabilities, are theoretical, potential vulnerabilities that so far, nobody has ever seen in the wild, that would require a ton of work just to implement. In every case, the cure was far, far worse than the actual disease. One of Microsoft's patches for either Spectre or Meltdown actually OPENED UP a whole score of vulnerabilities far worse than what it was supposed to patch.

    Just more hype and nonsense. And I've had too many crashes & problems this year from Microsoft's and Intel's "critical security updates" this year.
    Reply