[Cryptography] Intel Management Engine pwnd (was: How to find hidden/undocumented instructions

=JeffH Jeff.Hodges at KingsMountain.com
Tue Nov 21 19:04:45 EST 2017 

Oh joy...

Intel finds critical holes in secret Management Engine hidden in tons of 
desktop, server chipsets
https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

  By Thomas Claburn in San Francisco 20 Nov 2017 at 23:53

Intel today admitted its Management Engine (ME), Server Platform 
Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to 
multiple worrying security flaws, based on the findings of external 
security experts.

The firmware-level bugs allow logged-in administrators, and malicious or 
hijacked high-privilege processes, to run code beneath the operating 
system to spy on or meddle with the computer completely out of sight of 
other users and admins. The holes can also be exploited by network 
administrators, or people masquerading as admins, to remotely infect 
machines with spyware and invisible rootkits, potentially.

Meanwhile, logged-in users, or malicious or commandeered applications, 
can leverage the security weaknesses to extract confidential and 
protected information from the computer's memory, potentially giving 
miscreants sensitive data – such as passwords or cryptographic keys – to 
kick off other attacks. This is especially bad news on servers and other 
shared machines.

In short, a huge amount of Intel silicon is secretly running code that 
is buggy and exploitable by attackers and malware to fully and silently 
compromise computers. The processor chipsets affected by the flaws are 
as follows:

     6th, 7th and 8th Generation Intel Core processors
     Intel Xeon E3-1200 v5 and v6 processors
     Intel Xeon Scalable processors
     Intel Xeon W processors
     Intel Atom C3000 processors
     Apollo Lake Intel Atom E3900 series
     Apollo Lake Intel Pentiums
     Celeron N and J series processors

Intel's Management Engine, at the heart of today's disclosures, is a 
computer within your computer. It is Chipzilla's much maligned 
coprocessor at the center of its vPro suite of features, and it is 
present in various chip families. It has been assailed as a "backdoor" – 
a term Intel emphatically rejects – and it is a mechanism targeted by 
researchers at UK-based Positive Technologies, who are set to reveal in 
detail new ways to exploit the ME next month.

The Management Engine is a barely documented black box. it has its own 
CPU and its own operating system – recently, an x86 Quark core and MINIX 
– that has complete control over the machine, and it functions below and 
out of sight of the installed operating system and any hypervisors or 
antivirus tools present.

It is designed to allow network administrators to remotely or locally 
log into a server or workstation, and fix up any errors, reinstall the 
OS, take over the desktop, and so on, which is handy if the box is so 
messed up it can't even boot properly.

The ME runs closed-source remote-administration software to do this, and 
this code contains bugs – like all programs – except these bugs allow 
hackers to wield incredible power over a machine. The ME can be 
potentially abused to install rootkits and other forms of spyware that 
silently snoop on users, steal information, or tamper with files.

SPS is based on ME, and allows you to remotely configure Intel-powered 
servers over the network. TXE is Intel's hardware authenticity 
technology. Previously, the AMT suite of tools, again running on ME, 
could be bypassed with an empty credential string.

Today, Intel has gone public with more issues in its firmware. It 
revealed it "has identified several security vulnerabilities that could 
potentially place impacted platforms at risk" following an audit of its 
internal source code:

In response to issues identified by external researchers, Intel has 
performed an in-depth comprehensive security review of our Intel 
Management Engine (ME), Intel Server Platform Services (SPS), and Intel 
Trusted Execution Engine (TXE) with the objective of enhancing firmware 
resilience.

The flaws, according to Intel, could allow an attacker to impersonate 
the ME, SPS or TXE mechanisms, thereby invalidating local security 
features; "load and execute arbitrary code outside the visibility of the 
user and operating system"; and crash affected systems. The severity of 
the vulnerabilities is mitigated by the fact that most of them require 
local access, either as an administrator or less privileged user; the 
rest require you to access the management features as an authenticated 
sysadmin.

<snip/>

More information about the cryptography mailing list