Intel Fixes Critical Bugs in Management Engine (affecting 6th, 7th, 8th Generation Core™ CPUs)

[LASER_oneXM]

Intel published a security advisory last night detailing eight vulnerabilities that impact core CPU technologies such as the Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE).

The vulnerabilities are severe enough to allow attackers to install rootkits on vulnerable PCs, retrieve data processed inside CPUs, and cause PC crashes —which should be the least of someone's worries.

One of the affected products is the Intel Management Engine, a technology that is often described as a secret CPU inside the main Intel CPU. The ME component runs independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components. An attacker that exploits a flaw and gains control over the Intel ME has untethered control over the entire computer.

The CPU maker has released firmware updates to address these flaws. The updates are not available to the general public, as chipset and motherboard vendors will have to integrate the updates into their own updates. Lenovo has already issued patches for some products that are using vulnerable Intel ME, SPS, or TXE technologies.

Who's affected?
According to Intel, the following Intel ME, SPS, and TXE firmware versions are affected:

ME firmware versions 11.0/11.5/11.6/11.7/11.10/11.20
SPS Firmware version 4.0
TXE version 3.0

According to Intel, the following products incorporate vulnerable firmware versions:

6th, 7th & 8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor W Family
Intel® Atom® C3000 Processor Family
Apollo Lake Intel® Atom Processor E3900 series
Apollo Lake Intel® Pentium™
Celeron™ N and J series Processors

Intel has released a tool for Windows and Linux users that checks and reports if users' computers are affected. On Windows, users should run the Intel-SA-00086-GUI.exe file to view scan results (image below).

 

[upnorth]

Quote : " The Management Engine is an independent subsystem that lives in a separate microprocessor on Intel chipsets ; it exists to allow administrators to control devices remotely for all types of functions, from applying updates to troubleshooting. And since it has extensive access to and control over the main system processors, flaws in the ME give attackers a powerful jumping-off point. Some have even called the ME an unnecessary security hazard.

Intel specifically undertook what spokesperson Agnes Kwan called a “ proactive, extensive, rigorous evaluation of the product, ” in light of findings that Russian firmware researchers Maxim Goryachy and Mark Ermolov will present at Black Hat Europe next month. Their work shows an exploit that can run unsigned, unverified code on newer Intel chipsets, gaining more and more control using the ME as an unchecked launch point. The researchers also play with a sinister property of the ME : It can run even when a computer is “ off ” ( just so long as the device is plugged in ), because it is on a separate microprocessor, and essentially acts as a totally separate computer. "

Quote : " As with previous ME bugs, nearly every recent Intel chip is impacted, affecting servers, PCs, and IoT devices. Compounding the issue : Intel can provide updates to manufacturers, but customers need to wait for hardware companies to actually push the fixes out. Intel's maintaining a running list of available firmware updates, but so far only Lenovo has offered one up. "

Source : Intel Chip Flaws Leave Millions of Devices Exposed

Detection Tool : Download Intel-SA-00086 Detection Tool

 

[shmu26]

It covers most intel processors, as far as I can tell.

Most PC owners in the world will need a firmware update, and most don't know how to flash their BIOS, nor do they even know what a BIOS is. I happen to know what a BIOS is, and I don't want to update my desktop's firmware, because the electricity supply where I live is a bit on the flaky side. If it goes out in the middle, or someone at home plugs in a wet hot-water kettle or clothes iron, then my mobo is toast.

Another solution will have to be found.

 

[SHvFl]

Thanks. Was not aware of this but i checked and still no updates for me to get it fixed.

Patched.

 

[tim one]

Good sharing

Let's say that this flaw, so that it is exploitable from remote, the ports on which the service for the remote administration of the system is listening, must be open and exposed on the Internet. This resizes the severity of the problem because it would be really stupid thing to connect a PC with these ports active and listening to a public or open WiFi network.
BTW you can open the command prompt and type:

netstat -na | findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"

In the event that you get a response, it would be good to disable Engine Management.

More info:

Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)

 

[upnorth]

Quote : " The world's top PC-makers have started to ship fixes for the multiple flaws in Intel's CPUs, but plenty won't land until 2018. The flaws struck multiple flaws in Intel's Management Engine, Server Platform Services, and Trusted Execution Engine and make it possible to run code that operating systems – and therefore sysadmins and users – just can't see. "

Quote : " Lenovo's advisory listed seven machines for which the date of fix delivery is “ TBD ” - to be determined.

That's a lovely small number compared to Acer, which has given 240 models the TBD treatment.

It's therefore making Dell look good: it has just 191 TBD PCs. The company has also picked January 7th, 2018, for nine models, January 14th, 2018, for another ten machines and February 2nd, 2018, for four models. Nine machines will get their fix on Christmas Eve, 2017.

Panasonic's advised that it's targeted “ the end of January 2018 ” for six machines and said it is “ currently confirming ” when it will deliver for another seven machines.

Even Intel itself signalled it needs time to fix its NUC, ComputeStick and ComputeCard products. The company said “ Expected availability ” is in December 2017.

HPE appears to have downloads ready to go, but Fujitsu's only readied them for Japanese and EMEA customers: the rest of the world has to wait an unspecified amont of time. "

Source : To fix Intel's firmware fiasco, wait for Christmas Eve or 2018

 

[upnorth]

IBM Security Advisory

Quote : "

1. Remain aware. Actively follow this security vulnerability and follow updates from Intel.
2. Find out if you’re vulnerable. Intel has developed a tool that can be used to develop an inventory of assets and run a test of its potential vulnerability: Download Intel-SA-00086 Detection Tool.
3. Consider disabling Intel AMT if you are not using it. Disabling unused technology is generally a good security practice to continually employ. This reduces your overall attack surface and helps keep devices and data more secure. IBM will provide more on how you can disable Intel AMT when we have additional information.

Reports indicate that more information on this vulnerability will be presented at Black Hat Europe on Dec. 4, by a researcher from Positive Technologies. You can learn more about that session here. "

Source : IBM Security Advisory on Intel Management Engine Vulnerability