The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors.
Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.
When operating in Manufacturing Mode, Intel ME allows performing a specific command, after which ME region becomes writable via the SPI controller built into the motherboard. Having a possibility to run code on the attacked system and send commands to Intel ME, the attacker can rewrite Intel ME firmware to another version, including the version vulnerable to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, and execute arbitrary code on Intel ME even if the system is patched.
This mode is enabled in MacBook, as well. Although firmware itself is additionally protected from SPI Flash region rewriting attacks (if access to any region is open, firmware does not allow OS download), researchers found an undocumented command that restarts Intel ME without the main system restart, which allows bypassing this protection. Not only Apple computers can be attacked this way.
Positive Technologies developed a special utility that checks the status of Manufacturing Mode. You can download it using this link. If the check shows that the mode is on, we recommend you to ask your computer's manufacturer for instructions on how to turn off the mode. The utility is designed for system based on Windows and Linux. Apple users only need to install the above mentioned update.
Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.
Maxim Goryachy notes: "The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of firmware, write a vulnerable version of Intel ME, and exploit it to secretly gain a foothold in the device. Next, it is possible to obtain full control over the computer and spy with no chance of being detected."
Manufacturing Mode
Intel ME has Manufacturing Mode designed to be used exclusively by motherboard manufacturers. This mode provides additional opportunities, and an attacker can gain an advantage over them. The risk imposed by this mode and its impact on Intel МЕ performance was discussed by many researchers, including Positive Technologies experts (How to Become the Sole Owner of Your PC), but numerous manufacturers still do not disable this mode.When operating in Manufacturing Mode, Intel ME allows performing a specific command, after which ME region becomes writable via the SPI controller built into the motherboard. Having a possibility to run code on the attacked system and send commands to Intel ME, the attacker can rewrite Intel ME firmware to another version, including the version vulnerable to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, and execute arbitrary code on Intel ME even if the system is patched.
This mode is enabled in MacBook, as well. Although firmware itself is additionally protected from SPI Flash region rewriting attacks (if access to any region is open, firmware does not allow OS download), researchers found an undocumented command that restarts Intel ME without the main system restart, which allows bypassing this protection. Not only Apple computers can be attacked this way.
Positive Technologies developed a special utility that checks the status of Manufacturing Mode. You can download it using this link. If the check shows that the mode is on, we recommend you to ask your computer's manufacturer for instructions on how to turn off the mode. The utility is designed for system based on Windows and Linux. Apple users only need to install the above mentioned update.
No comments:
Post a Comment