Managing Security Risk in the Face of Intel ME Vulnerabilities
In May 2017, Intel publicly released a critical vulnerability advisory concerning its Active Management Technology (AMT). The initial report detailed privilege escalation risk under CVE-2017-5689, which was patched by Intel.
Later in the year, researchers from Russia-based Positive Technologies discovered additional vulnerabilities in the firmware. The duo submitted the information to Black Hat Europe and announced that they plan to share it publicly in a 50-minute briefing on Dec. 6, 2017.
On Nov. 20, 2017, Intel released information on eight additional bugs found with relation to its ME technology, and confirmed that those can affect millions of endpoints and servers worldwide.
The vulnerabilities reported to date affect Intel Management Engine (Intel ME 11.0.0-11.7.0), Intel® Trusted Execution Engine (Intel TXE 3.0) and Intel Server Platform Services (Intel SPS 4.0). To help users determine if their assets are vulnerable or not, Intel released Intel-SA-00086 Detection tool. Via the advisory, users are directed to system manufacturers for patch updates and support.
Per its own security review, Intel notes that the vulnerabilities it found could affect PCs, servers and IoT platforms.
ME -> MINIX -> AMT, Where Did This Actually Start?
The Intel ME
When did the Intel ME issues become evident? The vulnerabilities at hand are linked with the way Intel chipsets work within other technologies they were embedded into.
Intel chipsets include a Management Engine (ME), which is a hardware-level system within the microprocessor, running in parallel to the endpoint’s actual operating system (OS). In essence, it’s a small computer with its own ecosystem. It runs in the background at all times, and can modify critical elements on the endpoint as long as there’s a power source connected to the endpoint, even if the endpoint itself is switched off.
Although the location of the ME has changed over the years, it is apparently connected to the computer’s Ethernet port as an out-of-band (OOB) interface, communicating over ports 16992-16995.
There is a mini OS and various pieces of software running on the ME, ranging from code to handle media DRM to an implementation of a TPM. The ME also runs software called Active Management Technology.
Quoting Intel’s own product page on AMT: “Intel Active Management Technology (Intel AMT) is a feature of Intel Core™ processors with Intel vPro technology1,2 and workstation platforms based on select Intel Xeon processors. Intel AMT uses integrated platform capabilities and popular third-party management and security applications, to allow IT or managed service providers to better discover, repair and help protect their networked computing assets. Intel AMT also saves time with remote maintenance and wireless manageability for your mobile workforce, and secure drive wiping to simply PC lifecycle transitions.”
Reports indicate that the AMT has been vulnerable to privilege escalation exploitation since 2008. Two related flaws were first reported in May 2017. According to Intel, the vulnerabilities affected chips from Intel’s 2008-released Nehalem architecture and onwards, encompassing all versions between v6 and v11.6. Versions before 6 or after 11.6 are reportedly not impacted.
Per the May 2017 advisory, the first flaw, found on AMT and ISM units, could allow a remote, unprivileged attacker to gain system privileges to provisioned chips. The second flaw could allow a local attacker to gain unprivileged network or local system privileges on chips with AMT, ISM and SBT.
Patching those two issues would require a firmware update, which can be difficult for those managing security risk to navigate. Firmware updates may not be flagged as critical and don’t come automatically like other OS updates. Moreover, many systems no longer receive these updates from the manufacturer, or the firmware is no longer supported, which can lead to an ongoing vulnerability requiring a different mitigation strategy.
Following the vulnerability disclosure in May 2017, the Electronic Frontier Foundation (EFF) has called for Intel to provide a way for users to disable ME. The privacy group cautioned that without a disabling mechanism and greater transparency from Intel, Intel chips might not be safe to use in critical-infrastructure systems.
MINIX in the Mix
Where does the MINIX OS come in? Intel chips that run the AMT software are running it on an obscure OS called MINIX. MINIX is a closed-source variation of the open-source operating system MINIX v3. The latter was created for educational purposes by its official creator who publicly addressed Intel to explain some of its features and indicated he was not made aware of the eventual use of MINIX in Intel chips.
On Intel chipsets, MINIX is the underlying OS that runs a software stack, which includes networking and a web server. Since this OS is part of the chip, most users may not be aware of this and may not be able to access, update or patch it.
MINIX resides on the hardware and runs on one of the most privileged, barebones levels of the endpoint, on Ring minus 3. It runs on three separate x86 cores on modern chips where it operates:
- TCP/IP networking stacks (on network layers 4 and 6);
- File systems;
- Drivers (disk, net, USB, mouse); and
- Web servers.
Since it’s a closed-source project, that MINIX version has remained less familiar. One of the issues security teams could grapple with is that having MINIX on the device can run the risk of it becoming a Pandora’s box at the hands of malicious actors who may discover latent vulnerabilities over time, further affecting the security of that entire stack.
Is There a Way to Disable the Intel ME?
A question raised in view of these issues is whether it is possible to disable the Intel ME to prevent possible compromise. Some information published in August 2017 points to such possibility, which is nonetheless very manual and risky.
The researchers that investigated the ME vulnerability discovered a link to a U.S. government program called the HAP – “High Assurance Platform.” HAP is an NSA initiative to define a framework for the development of the next generation of secure computing platforms. These platforms leverage Trusted Computing technologies.
The Positive Technologies researchers understood that the Intel ME firmware code could be disabled on demand in some cases, using a field located in the ME files called reserve_hap. By setting the relevant bit to 1, the ME firmware could be disabled. Intel did confirm that the undocumented HAP mode activation bit is present to support customers participating in the HAP program:
“In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the U.S. government’s ‘High Assurance Platform’ program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”
For information about the CVEs linked with the current vulnerabilities and updates on patching, please access the official advisories:
IBM Update: Find Endpoints Impacted by Intel ME Vulnerabilities in Minutes
IBM BigFix has published an update designed to allow clients to quickly discover endpoints exposed to the Intel ME vulnerability. This capability is available now for all current BigFix clients.
With this new feature, BigFix clients can get accurate, real-time vulnerability information about PCs, servers, ATMs and more — regardless of operating system, location or connectivity. Instructions on how to use this capability can be found here.
If you’re not a BigFix client and want to learn more, please go to the BigFix website. Click on the blue “Talk to an expert” button on the upper right edge of the page, and you’ll be connected directly to an agent. You can also call toll free: 1-877-257-5227 (Priority code: Security).
What IBM Resources Can I Access for Other Updates?
To follow updates from IBM Security, please check the following X-Force Exchange collections: