We have studied Intel ME over the last years, and here is what we have found about this mysterious subsystem so far.
Vulnerabilities in ME allow compromising even a turned-off computer
At the end of 2017, Positive Technologies experts Mark Ermolov and Maxim Goryachy spoke at Black Hat Europe about a vulnerability in Intel Management Engine 11, which allows intruders to access most of the data and processes on a device. You will find a detailed description of the problem in our article.
The vulnerability in Intel ME allowed executing arbitrary code. This threatens many technologies, including Intel Protected Audio Video Path (PAVP), Intel Platform Trust Technology (PTT or fTPM), Intel Boot Guard, and Intel Software Guard Extensions (SGX).
To intercept data in ME, JTAG debugging mechanism can be used
By exploiting the bug in the bup module, the experts managed to turn on the PCH red unlock mechanism, which opens full access to all PCH devices in order to use them via DFx chain—in other words, using JTAG. ME kernel is precisely one of such devices. The experts could then debug the code executed on ME, read memory of all the processes and the kernel, and also manage all the devices inside the PCH. They found out that there are about 50 internal devices in modern computers to which only ME has full access, while the main processor has access only to a very limited subset of them.
Full access also means that any intruder exploiting this vulnerability can bypass the traditional software protection and conduct attacks even when the computer is turned off.
JTAG can be activated in the mobile version of ME
Intel TXE is the mobile version of ME. Vulnerability INTEL-SA-00086 allows activating JTAG for the subsystem kernel. Positive Technologies experts developed JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. This utility can be used to activate JTAG for Intel TXE.
The subsystem can be disabled in undocumented mode
Positive Technologies experts Maxim Goryachy and Mark Ermolov delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. Although it is impossible to entirely disable ME on modern computers, hackers can still compromise devices in an undocumented mode called High Assurance Platform (HAP). The experts discovered a special HAP bit, which after being installed allows disabling Intel ME at an early stage of booting.
The name High Assurance Platform belongs to a trusted platform program linked to the U.S. National Security Agency (NSA). Presentation with program description is available online. This mechanism was presumably introduced by the U.S. government agencies striving to reduce the likelihood of side-channel data leaks.
ME security flaws threatening MacBook
This June, Apple released updates that eliminated the CVE-2018-4251 vulnerability. The vulnerability was in the Manufacturing Mode component—a service mode for configuring, setting, and testing an end platform at the production stage. This mode allows setting critical platform parameters that are stored in the one-time programmable memory (FUSES). The mode must be disabled before the device is put on sale and purchased by a user.
Neither the mode nor its potential risks are described in Intel public documentation. An ordinary user cannot disable the mode, as the relevant management utility is not officially available.
The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of firmware, write a vulnerable version of Intel ME, and exploit it to secretly gain a foothold in the device. Next, it is possible to obtain full control over the computer and spy with no chance of being detected.
Vulnerable Intel chipsets are used all over the world, from home and work laptops to enterprise servers. The update previously released by Intel does not prevent exploitation of vulnerabilities CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, because with write access to ME region, an attacker can write a vulnerable version of МЕ and exploit a vulnerability in it.
Intel patches the same bugs in ME twice
In early July, Intel issued two security advisories (SA-00112 and SA-00118) regarding fixes for firmware vulnerabilities in Intel Management Engine. Both advisories describe vulnerabilities with which an attacker could execute arbitrary code on the Minute IA PCH microcontroller.
The vulnerabilities are similar to ones previously discovered by Positive Technologies security experts in November 2017 (SA-00086). But that was not the end of the story, as Intel later released new fixes for ME vulnerabilities.
CVE-2018-3627, the vulnerability at issue in advisory SA-00118, is described as a logic bug (not a buffer overflow) that may allow execution of arbitrary code. An attacker needs local access to exploit this vulnerability, whereas the vulnerability described in advisory SA-00086 is locally exploitable only in case of OEM configuration errors. This makes this vulnerability more dangerous.
Things are even worse with CVE-2018-3628, which is described in advisory SA-00112. This vulnerability enables remote code execution in the AMT process of the Management Engine firmware. Moreover, all signs indicate that—unlike CVE-2017-5712 in advisory SA-00086—attackers do not need an AMT administrator account.
Intel characterizes the vulnerability as "Buffer overflow in HTTP handler," which suggests the possibility of remote code execution without authorization. This is precisely the nightmare for all Intel users.
How to disclose Intel ME encryption keys
However, this was not the end of Intel ME adventures. In autumn, the company had to fix another bug in the subsystem, which led to the disclosure of Intel ME encryption keys. The vulnerability was detected by Positive Technologies experts Dmitry Sklyarov and Maxim Goryachy.
Intel ME (Management Engine) stores data with the help of MFS (which likely stands for "ME File System"). MFS security mechanisms make heavy use of cryptographic keys. Confidentiality keys are used to keep the MFS data secret, while Integrity keys allow controlling the integrity. MFS data are divided into two categories according to sensitivity. They are protected by different key sets. The most sensitive data are protected by Intel Keys, with Non-Intel Keys being used for everything else. Thus, four keys are used—that is, Intel Integrity Key, Non-Intel Integrity Key, Intel Confidentiality Key, and Non-Intel Confidentiality Key.
By exploiting the vulnerability discovered by Mark Ermolov and Maxim Goryachy, attackers can obtain all the four keys and fully compromise MFS protection mechanisms. Intel later issued an update eliminating this vulnerability. By increasing the SVN (Security Version Number), Intel updated all keys to make MFS security work as intended. It should now have been impossible to obtain the MFS keys for updated ME firmware versions (those with the new SVN value).
But in 2018, Positive Technologies experts discovered vulnerability CVE-2018-3655, described in advisory Intel-SA-00125. They found that Non-Intel Keys are derived from two values: the SVN and the immutable non-Intel root secret, which is unique to each platform. By using the earlier vulnerability to enable the JTAG debugger, it is possible to obtain the second value. Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version.
Attackers can calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value, and therefore compromise the MFS security mechanisms that rely on these keys.
We recently published a detailed description of the CVE-2018-4251 vulnerability in MacBook. Mark Ermolov and Maxim Goryachy will speak at HiTB conference on how attackers can exploit the vulnerability. They will alsol discuss protection mechanisms, such as a special utility developed by our experts.