Intel’s secretive operating system comes under attack
System builders are rushing to fix vulnerabilities in the backdoor-like system running on millions of PCs and servers
System builders are rushing to fix vulnerabilities in the backdoor-like system running on millions of PCs and servers.
INTEL AND MOTHERBOARD makers are fighting a battle to fix a series of vulnerabilities that have shed light on a secretive, controversial operating system that runs in the background of Windows and Linux machines.
The Intel Management Engine (IME) and its server relatives are largely undocumented pieces of software that run outside Windows or Linux, but play a significant role in the majority of machines sold since 2008.
Researchers from security firm Positive Technologies first discovered some of the vulnerabilities, but kept them quiet until Intel had completed a review and eventually prepared fixes for ten vulnerabilities, eight of them classified as high risk.
“The vulnerability [we found] lies in the Intel Management Engine, a subsystem built into most Intel chips since 2015 to ensure system efficiency,” the researchers said. “It has its own operating system and operates during startup, whilst the computer is running and while the computer is asleep, carrying almost all communication between processor and external devices.”
This, according to the researchers, “gives it access to almost all data”. The flaws could give attackers “God mode” access, because they can easily bypass security software, the researchers told PC Pro.
To exploit this vulnerability, an attacker would need to gain local access, either on the device itself, or by acquiring passwords for a remote management system, such as those used by IT admins. Remote attacks would be difficult, but the sheer number of systems at risk means that Intel and its partners are scrambling.
According to Intel, the weakness affects sixth, seventh and eighth generation Intel Core processors, three families of Xeon processors, as well as several Atom, Apollo Lake Pentium and some Celeron processors.
“Given the massive penetration of devices with Intel chips, the potential scale for attacks is big – with laptops to enterprise IT infrastructure being vulnerable,” Positive Technologies said. “Such a problem is very hard to resolve”, it added, “requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.”
Patch problems
The issue is exacerbated by the fact that, unlike Windows, there’s no automatic update facility and users must visit their system or motherboard manufacturer’s website for firmware updates.
Intel has a tool for users to test if their system is affected and lists 23 manufacturers that have released updates. “Intel is undertaking an extensive and rigorous evaluation of our product portfolio as the current threat environment continues to evolve,” the firm said in a statement.
Although top-tier manufacturers have released or have started
releasing firmware fixes, not all manufacturers have reacted or even been informed. One system builder we spoke to hadn’t even heard of the issue, saying that the situation looked “gloomy” when we highlighted the problems.
To make matters worse, despite Intel releasing fixes, the researchers say that three of the vulnerability fixes (CVE-2017-5705, CVE-2017-5706, CVE-2017-5707) could be bypassed. “An update was the only fix for this problem, but we have demonstrated that even this doesn’t work, because the attacker can always install another version of the management engine and exploit it,” the researchers told us. “Even if the update is widely adopted, it is still possible that the hacker could exploit it.”
Engine problems
The Intel Management Engine has been included in almost every Intel processor since 2008, and because it’s largely undocumented and nontransparent in Windows or Linux systems, it has long been a source of suspicion. The current issues affect systems sold since 2015.
The whiff of mystery surrounding the software was heightened when Dell appeared to start selling PCs that had IME removed, something that security-conscious users would welcome as the tool has many of the same properties as a back door.
Dell said the option appeared by mistake and that, although it could provide machines without the IME installed, they were not available to the general public. “Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs,” the company said.
“As this SKU can also disable other system functionality it was not previously made available to the general public.”
According to Dell, the Intel Management Engine is effectively obligatory on consumer machines because it’s an integral part of normal system operation, essential to functions such as configuring system clocks, security features used to ensure code integrity and enabling DRM-enabled video playback.
Given the massive penetration of devices with Intel chips, the potential scale for attacks is big