Skip to content
Naked Security Naked Security

Intel releases firmware update for ME flaw

It’s only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn’t realise were possible in hardware we’d never heard of.

It’s only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn’t realise were possible in hardware we’d never heard of.
This theme kicked off in January with the Meltdown and Spectre CPU cache-timing flaws (and subsequent variants) and continued last week as users found themselves patching another even more obscure low-level system.
This time, the system was Intel’s component-with-many-names, the Management Engine (ME), AKA the Manageability Engine (ME), and the Converged Security and Manageability Engine (CSME).
A flaw was discovered by researchers at Positive Technologies in the security of two of the four cryptographic keys ME uses to store sensitive data. If this story seems a bit familiar, it is: the same organisation found a previous 2017 weakness in the same Intel ME system, that affected all four keys, which itself capitalised on an even older discovery.
If this is starting to sound involved, what matters is the effect: the ability to compromise and generally mess around with files stored by ME, including the key used to secure the default admin password that protects remote access to ME itself.
Identified as CVE-2018-3655, and with updates now released, the issue affects firmware versions: 11.0 through 11.8.50; 11.10 through 11.11.50; 11.20 through 11.21.51; Intel Server Platform Services firmware version 4.0 (on Purley and Bakerville only); and Intel TXE version 3.0 through 3.1.50.
In its advisory, Intel recommends administrators contact their system or motherboard manufacturer to obtain an update that addresses this vulnerability.

Why ME matters

As previously discussed, ME is a sort of computer-within-the-computer living inside every Intel PC of the last decade, which was put there to make remote troubleshooting easier.
It has its own memory, CPU, and Minix Linux OS, and can remain operational even when a PC is turned off, something that may come as a surprise to many, given how few seem to have heard of it.
With the post-Meltdown world newly aware of the potential for hardware to harbour security issues, chip makers find themselves fixing a flurry of security problems in low-level technology that seemed to be fine for years. The chips are down for companies like Intel, so to speak, so it’s encouraging to see this particular fix taking place so quickly.
Intel recommends that users of Intel CSME, Intel Server Platform Service and Intel Trusted Execution Engine (TXE) update to the latest version.


The hyperlink for CVE-2018-3655 takes you to Intel’s intel-sa-00125, as opposed to the Mitre or NVD entry for the CVE. Though the Intel link is useful, it’s currently misleading (and is also referenced by both Mitre and NVD pages)


Fixed it, thanks. Now links to Mitre instead. (We link to the Intel advisory in the next paragraph of the article anyway :-)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!