Between all the new Spectre-class CPU flaws and the bugs the company and other researchers keep finding for its Management Engine (ME) firmware, Intel can't seem to catch a break. Now the company has publicly disclosed two more ME bugs, one of which allows remote code execution on victims’ PCs.
Intel ME Threat
Over the past couple of years, security researchers have taken a significant amount of interest in testing CPUs. Because Intel is the most popular chip maker, it has also become the default research target for most of these researchers. (Although AMD hasn't exactly been ignored.) This is how we’ve finally learned about bugs that have existed in Intel chips for many years, but for which nobody had bothered to look.
Perhaps what started everything was Intel ME, a controversial chip subsystem that has been part of Intel’s chips since 2008. Intel ME became controversial due to its “black box” nature, scaring many privacy-conscious PC users, organizations, and security researchers (including those at Google) with its potential to hide backdoors and bypass all operating system security protections.
Intel sells ME and its Active Management Technology (AMT) firmware as an enterprise feature that makes IT admins’ lives easier, because they can more easily operate machines remotely within the network.
However, the company hasn’t done a good job at being transparent about how ME functions. Some believe that’s on purpose, because the chip company is also using it to enforce Digital Rights Management (DRM), as part of the deals it has made with Hollywood and other content companies. It only takes one person to hack a single PC anywhere in the world for that DRM to be bypassed and the content to be pirated, but that issue seems besides the point in these deals.
New Year, New Intel ME Bugs
Researchers found several ME bugs last year, and now we have two more. The first one, CVE-2018-3627, is a logic bug that may allow execution of arbitrary code on Intel-based machines. According to the Russian security company Positive Technologies, which found a similar bug in Intel ME last year, the new one is more easily exploitable, making it even more dangerous. An attacker only needs local access on a machine to be able to exploit the Intel ME.
Positive Technologies said that CVE-2018-3628, the second bug revealed by Intel, is much worse. The vulnerability enables a “full-blown remote code execution in the AMT process of the Management Engine.” Furthermore, unlike CVE-2017-5712, which PT discovered last year, an attacker wouldn’t even need an AMT administrator account.
Intel called the vulnerability a "buffer overflow in HTTP handler,” which allows remote code execution without authorization. This is what many security experts have feared in the past that Intel ME could enable. The vulnerability is similar to another ME flaw found by another researcher last year.
What Chips Are Affected
The first bug, CVE-2018-3627, affects all Intel 6th generation chips and newer, which means it affects consumer and corporate devices, servers, as well as Internet of Things devices.
The second bug, CVE-2018-3628, affects a larger range of Intel chips:
- Intel Core 2 Duo vPro and Intel Centrino 2 vPro
- 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, & 8th Generation Intel Core Processor Family
- Intel Xeon Processor E3-1200 v5 & v6 Product Family (Greenlow)
- Intel Xeon Processor Scalable Family (Purley)
- Intel Xeon Processor W Family (Basin Falls)
Intel said that CVE-2018-3628 exploitation is possible only from the same subnet (as we've learned recently, that's not necessarily an enormous obstacle for attackers) However, Positive Technologies researchers plan to put that to a test in the coming months. In the meantime, Intel still has a few more Spectre-class bugs to worry about.