from Hacker News

An in-depth security review of the Intel Management Engine

by marksamman on 11/20/17, 7:11 PM with 185 comments

  • by aeleos on 11/20/17, 8:05 PM

    Wow all 6th, 7th and 8th gen are all vulnerable along with a bunch of Xeon processors. Even the laptop I am typing this on is vulnerable, this is going to be messy. Plus all the fun vulnerabilities like arbitrary code execution, unauthorized access to privileged content. These must be related to the blackhat talk coming up in December about hacking a turned-off computer and running unsigned code on ME [0]. Yep and the two researches doing the talk are the two people credited in this announcement, Mark Ermolov and Maxim Goryachy. Great work by them finding these vulnerabilities and disclosing them, these are the kind of vulnerabilities that the NSA would salivate over.

    I wonder if this will at all dissuade either Intel or AMD into continuing to make these super privileged processors whose functions are completely hidden. The cynic in me thinks that this will change absolutely nothing.

    There is a great website called The Bad Thing [1] that has compiled the known information about Intel ME.

    I just ran the detection tool on my laptop and I am running a vulnerable version of Intel ME, but I can't even do anything about it until my system manufacturer provides a patch for it. I feel like this is going to be one of those situations that ends up leaving millions of devices unpatched and vulnerable a few years down the road.

    [0]: https://www.blackhat.com/eu-17/briefings/schedule/#how-to-ha... [1]: https://www.cs.cmu.edu/~davide/bad_thing.html

  • by jlgaddis on 11/20/17, 8:52 PM

    I prefer the wording in Lenovo's security advisory [0]:

    > "Potential Impact: An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation, or denial of service."

    [0]: https://support.lenovo.com/us/en/product_security/len-17297

  • by lifty on 11/20/17, 9:41 PM

    Does anyone have an idea to what extent macbooks are affected? Intel ME is baked in every CPU but according to The Register [0] the AMT part is not running on Apple hardware.

    [0]: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulner...

  • by tpearson-raptor on 11/21/17, 3:42 AM

    Yet another reason owner-controlled machines like the Talos™ II [0] are so important. Yes, it may cost a bit more up front, but what's the cost again of having your data stolen and then, especially with the older machines here, having to replace all of your hardware to boot?

    Plus, purchasing machines like that one not only sends a clear signal that we want backdoor-free computing, but also allows the further development of more libre computing options. Wouldn't you rather have Linux and BSD as first-class citizens on new hardware, instead of always needing to play catch-up from behind?

    [0] https://raptorcs.com/TALOSII/

  • by computator on 11/21/17, 1:39 AM

    Don't rush to apply the Intel ME patch!

    Several HN users here (beefhash, jlgaddis, joe_the_user) have raised the possibility that applying the patch might make it impossible to get rid of the Intel ME entirely.

    If you don't apply the patch, someone may come up with a nice new exploit (using the security bugs) to completely remove the Intel ME.

    If you do apply the patch, it might close off possible exploits and you'll be left with an Intel ME that's impossible to remove.

  • by wonderous on 11/20/17, 9:27 PM

    Anyone able to explain why Intel’s severity rating for this is “important” and not “critical”; meaning of the terms per Intel’s own words:

    “Critical: A vulnerability, which if exploited, would allow remote execution of malicious code without user action.”

    “Important: A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user’s data or processing resources.“

  • by joe_the_user on 11/20/17, 7:43 PM

    So, will Intel be patching both the vulnerabilities and the kludges people have found to remove ME? Thus making some customers safer while maintaining systemic risk for everyone?

    "Asking for a friend"

  • by beefhash on 11/20/17, 7:39 PM

    Good times when kernel privilege escalation was the worst you had to fear.

    I'm not familiar enough with the Intel ME to tell, but could this possibly be exploited with the arbitrary code execution in the ME being used to set the HAP bit without requiring hardware intervention?

  • by jlgaddis on 11/20/17, 9:04 PM

    In my case, their Linux detection tool is less than useless:

      $ sudo ./intel_sa00086.py
  ...
  *** Risk Assessment ***
  Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
  ...
    Thanks, Intel!

    If you have a Lenovo machine, check Lenovo's security advisory [0] to see if it is affected. Intel has the wrong URL in their link.

    Edit: FWIW, the (Linux) tool creates a .log (and .xml) file in the current directory that was slightly more helpful:

      $ tail -n 4 SA-00086-cluefire-2017-11-20-21-09-36.log
  HECI error: No device with MKHI found[2]
  Can't find SPS version in the tool output
  Status: HECI_NOT_INSTALLED
  Tool Stopped
    This workstation doesn't have an "HECI" [1], apparently. It does have SPS, but "spsInfoLinux64" throws an error too:

      Error 9460: Unknown or unsupported hardware platform
    This box has 2 x E5-2620 v4 CPUs so it is reportedly "not affected" but I thought I'd double-check anyways. Oh well, I won't miss out on all the excitement -- I'll still get to have some fun updating my other machines and all of $work's servers in the datacenters. :/

    [0]: https://support.lenovo.com/us/en/product_security/len-17297

    [1]: https://en.wikipedia.org/wiki/Host_Embedded_Controller_Inter...

  • by hoodoof on 11/20/17, 8:39 PM

    I'd have preferred to hear something along the lines of "We'll be stopping implementing this technology in future CPUs"

  • by xwvvvvwx on 11/20/17, 8:28 PM

    Unreal. Kept scrolling and the vulnerabilities kept coming.

    Most annoying thing is that there isn’t even a real alternative. If I understand it right then AMD chips have pretty much the same thing?

  • by stablemap on 11/20/17, 10:59 PM

    Helpful thread from Matthew Garrett at Google:

    https://twitter.com/mjg59/status/932730696614813696

  • by revelation on 11/20/17, 10:22 PM

    It's bad enough Intel have created the ultimate trojan, but their detection tool can't even fix the problem!

    The tool rightly points out that my desktop consumer system is vulnerable (from the list, no Intel CPU manufactured in the last 5 years isn't), then suggests I contact the manufacturer for an update. Here is what the tool says my system manufacturer is:

        Manufacturer: To Be Filled By O.E.M.
    Model: To Be Filled By O.E.M.
    I will get right on that and bug "To Be Filled By O.E.M." for an update! It's an ASRock motherboard, by the way. But with this approach they are not going to patch even 5% of personal computers out there..

  • by Sephr on 11/20/17, 9:14 PM

    They still haven't publicly documented and supported the HAP bit.

    If Intel actually cared about your security they would document that. It says so right in the security advisory that the external researchers are the reason for the security review, and not due to customer concerns.

  • by 0culus on 11/20/17, 11:54 PM

    How does this affect Apple products? I've looked around for discussion of Intel ME with regards to Apple and the silence out there is deafening. [edit] I guess I also want to know is, does Apple provide Intel firmware patches bundled with their own software update?

  • by eecc on 11/20/17, 8:13 PM

    Wow, just imagine what this means to cloud, you get to own not one server of an org... but several orgs at the same time!

  • by k2enemy on 11/20/17, 8:41 PM

    It looks like they specifically label CVEs that require local access as such. Does anyone know if "via unspecified vector" means network access?

  • by cjsuk on 11/20/17, 7:42 PM

    This will be trying to close off the holes used to get at the ME OS I reckon.

  • by fernly on 11/21/17, 3:20 AM

    The detection tool for Linux is a Python 2 script. It contains ~15 print statements. If you change them to print functions, the script works fine on Python 3.

    The Intel dudes could have added "from future import print_function" and made it version-independent.

  • by teolandon on 11/20/17, 8:05 PM

    This time it's only 6th Generation Core processors and up? I thought even the older ones had pretty much the same version of ME installed, which had the previous vulnerability.

  • by En_gr_Student on 11/20/17, 8:46 PM

    So after it is exposed, after 3 generations of products, do they admit it is not a "feature". I can't imagine why they thought this kind of escalation couldn't be cracked by a 3rd party, or how it would bring brand value. This is "clipper" and yes, the hacker can control it. Dangit. Sell-outs.

    I'm just waiting for the ransomware that lives on AME, and is burned to the various dies instead of on hard-drives. Isn't that what this open door means?

  • by fencepost on 11/20/17, 9:08 PM

    The question then becomes which of any of these can be exploited by a non administrator local user or remotely via LAN (which might include the local machine depending on handling of loop back). Personally I can already see a bunch of on site upgrades I'm probably going to have to do for small clients.

    I almost wish it covered 3rd-5th generation, just to help me push some folks to upgrade.

  • by xwvvvvwx on 11/20/17, 10:56 PM

    Could someone explain what Management Engine is actually used for?

    It’s still not really clear to me why it needs to exist at all.

    Serious question.

  • by mysterypie on 11/20/17, 10:49 PM

    When I run the detection tool, I get:

    Based on the analysis performed by this tool: Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

    Does that mean that the Intel ME is disabled, so I don't have to worry about it? I certainly don't want to install anything that might enable the Intel ME if it's already disabled!

    What a quandary. This reminds me of all the information I was asked to give to get a detailed credit report. If I didn't give it, they weren't going to give me the report. If I gave it, they would add to my credit file even if they never had it before.

  • by nly on 11/21/17, 11:25 AM

    So while us technonerds wait and see whether our OEMs will bother to push out firmware updates sometime in the next 6 months, remember that 99% of users will go unpatched anyway because grandma never upgrades her BIOS.

  • by pwdisswordfish2 on 11/20/17, 8:24 PM

    Original title: "Security vulnerabilities discovered in Intel ME"

  • by avocad on 11/21/17, 5:02 PM

    This reminded me of the famous lecture by Ken Thompson, Reflections on Trusting Trust:

    https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...

    Basically you have to trust the compiler because it compiles all code on your system, including itself. Not entirely the same, and I think the Intel trick is more nefarious.

  • by blinkingled on 11/21/17, 3:41 AM

    So does this mean 5th gen and below ones are not vulnerable or Intel just couldn't be bothered to review the ME version on those? Unclear from the article.

  • by dboreham on 11/20/17, 8:54 PM

    Does "attacker with local access to the system" mean "physical access to the system"?? Initially I thought it meant "attacker able to run an unprivileged process on the system" but then I see other wording that seems to imply that case, so does "local access" mean physical access? (e.g. connect a USB drive, boot the box off their own media?)

  • by dboreham on 11/20/17, 8:47 PM

    I don't see any remote exploits here (other than "attacker with remote admin access..."). Is that correct? Presumably an attacker with remote admin access is already all powerful? Or is the concern that they can backdoor the hardware in an undetectable way, remotely?

  • by jacquesm on 11/21/17, 1:25 PM

    So, what's the best ARM based laptop that runs without binary blobs?

  • by geth on 11/24/17, 4:14 PM

    I would be curious to know what the attack scenario is exactly? I assume this is local, not remote, but the article is not very specific. Furthermore, has any kind of PoC been published?

  • by unixhero on 11/21/17, 2:32 AM

    Would you upgrade the firmware or leave it in?

    Who knows what benefits this defect can give you down the line. Maybe it will be possible to take over the entire Management Engine. That would be neat.

  • by locusm on 11/21/17, 1:18 AM

    What was wrong with IPMI for out of band management? What problem was ME actually solving?

  • by polskibus on 11/20/17, 8:24 PM

    Can this vulnerability be used to take over public cloud?

  • by partycoder on 11/20/17, 9:42 PM

    The ME should not even exist. Best way to secure it is to remove it. Problem solved.

    They will of course not let go because it's a backdoor. It's an overprivileged computer within your computer.

  • by trisimix on 11/20/17, 11:36 PM

    Hackings back baby, whose ready for Hackers 2?

  • by vellipylly on 11/21/17, 8:07 AM

    what i don't get is how would the consumer benefit of having these features? it all looks like a nonsense to me and I'd rather live without it. i think it's time to say goodbye to Intel and opt for another vendor.

  • by _pmf_ on 11/21/17, 8:15 AM

    Ah, the smell of a billion dollar class action lawsuit in the morning!

  • by revmoo on 11/20/17, 7:53 PM

    So does this updated firmware remove the backdoor or just re-secure it so it can't be removed?