New research has uncovered five Intel firmware vulnerabilities related to the controversial Management Engine,...
leading one expert to question why the Intel ME cannot be disabled.
The research that led to finding the Intel firmware vulnerabilities was undertaken "in response to issues identified by external researchers," according to Intel. This likely refers to a flaw in Intel Active Management Technology -- part of Management Engine -- found in May 2017 and a supposed Intel ME kill switch found in September. Due to issues like these, Intel "performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS) and Intel Trusted Execution Engine (TXE), with the objective of enhancing firmware resilience."
In a post detailing the Intel firmware vulnerabilities, the vendor said the flaws could allow an attacker to gain unauthorized access to a system; impersonate the ME, SPS or TXE; execute arbitrary code; or cause a system crash.
Mark Ermolov and Maxim Goryachy, researchers at Positive Technologies, an enterprise security company based in Framingham, Mass., were credited with finding three Intel firmware vulnerabilities -- one in each of Intel ME, SPS and TXE.
"Intel ME is at the heart of a vast number of devices worldwide, which is why we felt it important to assess its security status. It sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB," Goryachy told SearchSecurity. "Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures, such as antivirus."
How dangerous are Intel ME vulnerabilities?
The Intel ME has been a controversial feature because of the highly privileged level of access it has and the fact that it can continue to run even when the system is powered off. Some have even suggested it could be used as a backdoor to any systems running on Intel hardware.
Tod Beardsley, research director at Boston-based Rapid7, said given Intel ME's "uniquely sensitive position on the network," he's happy the security review was done, but he had reservations.
"It is frustrating that it's difficult to impossible to completely disable this particular management application, even in sites where it's entirely unused. The act of disabling it tends to require actually touching a keyboard connected to the affected machine," Beardsley told SearchSecurity. "This doesn't lend itself well to automation, which is a bummer for sites that have hundreds of affected devices whirring away in far-flung data centers. It's also difficult to actually get a hold of firmware to fix these things for many affected IoT [internet of things] devices."
James Maudesenior security engineer, Avecto
James Maude, senior security engineer at Avecto Ltd., an endpoint security software company based in the U.K., said the Intel firmware vulnerabilities highlight the importance of controlling user privileges, because some of the flaws require higher access to exploit.
"From hardware to software, admin accounts with wide-ranging privilege rights present a large attack surface. The fact that these critical security gaps have appeared in hardware that can be found in almost every organization globally demonstrates that all businesses need to bear this in mind," Maude told SearchSecurity. "Controlling privilege isn't difficult to do, but it is key to securing systems. It's time for both enterprises and individual users to realize that they can't rely solely on inbuilt security -- they must also have robust security procedures in place."
However, Beardsley noted all the firmware vulnerabilities across the Intel products require physical access to the machine in order to exploit.
"For the majority of issues that require local access, the best advice is simply not to allow untrusted users physical access to the affected systems," Beardsley said. "This is pretty easy for server farms, but can get trickier for things like point-of-sale systems, kiosks and other computing objects where low-level employees or the public are expected to touch the machines. That said, it's nothing a little epoxy in the USB port can't solve."