What is the world’s most widely-used operating system on new PCs?
Windows?
Guess again.
In all probability, it’s the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that’s built into all recent Intel computers.
Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.
But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.
The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.
This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.
Intel lists four ME vulnerabilities (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.
Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.
Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.
For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.
Users looking for a quick fix shouldn’t hold their breath.
What could an attacker do to an unpatched system?
Intel mentions several possibilities, but an alarming standout is the ability to “load and execute arbitrary code outside the visibility of the user and operating system.”
A lot of admins will find themselves doing a double-take reading this, particularly the idea that something inside a PC can run code without the desktop or server operating system being in charge.
Unhappiness at the way ME bends the rules has been steadily growing – and not just from the tinfoil hat brigade.
The privacy croup EFF described ME as a tiny homunculus computer, complete with its own operating system, processor chip, drivers, network stack and web server.
Then, in August, Google engineer Ronald Minnich mentioned that the search giant was so unsettled by the security risks of ME running its own Minix operating system that it planned to rip out as much of ME as possible from its Linux servers.
Interestingly, Microsoft’s recent secure PC specification made no mention of ME beyond endorsing Intel’s new processor generation.
What is clear is that researchers smell blood and will continue to probe ME and equivalent low-level technologies for weaknesses.
After this week, few will bet against them finding more problems.
Laurence Marks
1) Besides the four vulnerabilities (CVE-2017-5705, -5708, -5711, and -5712) which affect the Intel Manageability Engine (ME), you might mention the two (CVE-2017-5706 and -5709) which affect both the Trusted Execution Engine (TXE), and the Service Platform Service 4.0 (SPS).
2) Andrew Tanenbaum must be horrified. Have you asked him for a comment?
3) Do you suppose that the SA-00086 GUI Detection Tool was actually tested before it was released? I’m on a short vacation for the (US) holiday and tried it on the laptop I brought along, an Intel Core2 Duo T5500 running Windows 10 x64 and probably about 10 years old. It’s been running for 10-15 minutes, using all of one processor and a little of the other (around 52.5%) and it’s done nothing but display
Intel SA-00086 Detection Tool
Application Version: 1.0.0.128
System analysis running – please wait…
Copyright(C) 2017, Intel Corporation, All rights reserved.
For what it’s worth, it’s used 0 disk access and minimal (5.8 MB) memory. I would have expected it to run for a few seconds and report “Processor not affected” given its age.
As usual (sigh) I am underwhelmed with the quality of the software.
Paul Ducklin
We didn’t mention the other two vulns in order to keep the article focused on the ME component. We’ll let your comment document that there are other related security problems at the same time.
And, no, we haven’t contacted Andrew Tanenbaum, author of Minix. I thought of that myself (I once got a Minix CD directly from him :-) because it sounded cool but then I figured, “What to ask him? What would I expect him to say? Surely he has better things to do with his time?”
Similarly, I’ve never thought to contact the authors of the Clang or GCC compilers simply because of finding buggy programs or malware built with them…
John E Dunn
I tested the Intel utility and agree it’s fiddly to get working – it eventually told me my PC will need an ME update.
As to the SPS and TXE vulnerabilities, I alluded to them in passing for space reasons.
Norm Dill
The Truth is “Corporations are evil”. Operate under that assumption.
David M
I ran the Linux utility to check. It worked perfectly and was easy to run from terminal.
1) go to the page listed above, choose the Linux download, download & upack
2) open your terminal, change to the directory that has the unpacked .py files
3) and if you run Ubuntu or Mint or any other Ubuntu based Linux, at the command line: sudo ./intel_sa00086.py – put in your password when asked, and it lets you know in a second.
Very good.
Bill
Does the VPro need to be activated on the Intel chip for this flaw to be exploited?
Paul Ducklin
Intel vPro is a marketing term that embraces a whole raft of features in and of recent CPUs, so it can’t be turned on or off, it “just is”.
Are you using vPro to refer specifically to Intel AMT, the “Active Management Technology” part of the vPro scene?
(If so, does aynyone know if this issue is moot if you manage to turn AMT off, or is that more of a workaround?)
John E Dunn
The best advice is not to interfere with AMT, or ME for that matter. It can be done (Googe says it has been doing it on its servers) but is a skilled undertaking.
Mahhn
So, our PCs can be hacked while powered off, and our cell phones can track us while they are powered off.
George Orwell had no clue had bad it would actually be………..
David M
It really depends if it was an intentional back door left open by request of same agency using the Patriot Act as a lever over Intel, and now they have to deal with it because someone figured it out, OR, if it was just a genuine accident.
If it was intentional, that is Orwellian, if an accident, typical programming reality.
Marvin
There is an expression in the UK
“Too clever by half”
Sometimes it is useful if your hardware is not excessively “clever”!
Jim Williams
Went to Dell support page, but update package is only for various windows flavors, not Linux?
John E Dunn
I’d stick to Intel’s Window/Linux utility: https://downloadcenter.intel.com/download/27150