November 25, 2017 By Limor Kessem 5 min read

In May 2017, Intel publicly released a critical vulnerability advisory concerning its Active Management Technology (AMT). The initial report detailed privilege escalation risk under CVE-2017-5689, which was patched by Intel.

Later in the year, researchers from Russia-based Positive Technologies discovered additional vulnerabilities in the firmware. The duo submitted the information to Black Hat Europe and announced that they plan to share it publicly in a 50-minute briefing on Dec. 6, 2017.

On Nov. 20, 2017, Intel released information on eight additional bugs found with relation to its ME technology, and confirmed that those can affect millions of endpoints and servers worldwide.

The vulnerabilities reported to date affect Intel Management Engine (Intel ME 11.0.0-11.7.0), Intel® Trusted Execution Engine (Intel TXE 3.0) and Intel Server Platform Services (Intel SPS 4.0). To help users determine if their assets are vulnerable or not, Intel released Intel-SA-00086 Detection tool. Via the advisory, users are directed to system manufacturers for patch updates and support.

Per its own security review, Intel notes that the vulnerabilities it found could affect PCs, servers and IoT platforms.

ME -> MINIX -> AMT, Where Did This Actually Start?

The Intel ME

When did the Intel ME issues become evident? The vulnerabilities at hand are linked with the way Intel chipsets work within other technologies they were embedded into.

Intel chipsets include a Management Engine (ME), which is a hardware-level system within the microprocessor, running in parallel to the endpoint’s actual operating system (OS). In essence, it’s a small computer with its own ecosystem. It runs in the background at all times, and can modify critical elements on the endpoint as long as there’s a power source connected to the endpoint, even if the endpoint itself is switched off.

Although the location of the ME has changed over the years, it is apparently connected to the computer’s Ethernet port as an out-of-band (OOB) interface, communicating over ports 16992-16995.

There is a mini OS and various pieces of software running on the ME, ranging from code to handle media DRM to an implementation of a TPM. The ME also runs software called Active Management Technology.

Intel AMT

Quoting Intel’s own product page on AMT: “Intel Active Management Technology (Intel AMT) is a feature of Intel Core™ processors with Intel vPro technology1,2 and workstation platforms based on select Intel Xeon processors. Intel AMT uses integrated platform capabilities and popular third-party management and security applications, to allow IT or managed service providers to better discover, repair and help protect their networked computing assets. Intel AMT also saves time with remote maintenance and wireless manageability for your mobile workforce, and secure drive wiping to simply PC lifecycle transitions.”

Reports indicate that the AMT has been vulnerable to privilege escalation exploitation since 2008. Two related flaws were first reported in May 2017. According to Intel, the vulnerabilities affected chips from Intel’s 2008-released Nehalem architecture and onwards, encompassing all versions between v6 and v11.6. Versions before 6 or after 11.6 are reportedly not impacted.

Per the May 2017 advisory, the first flaw, found on AMT and ISM units, could allow a remote, unprivileged attacker to gain system privileges to provisioned chips. The second flaw could allow a local attacker to gain unprivileged network or local system privileges on chips with AMT, ISM and SBT.

Patching those two issues would require a firmware update, which can be difficult for those managing security risk to navigate. Firmware updates may not be flagged as critical and don’t come automatically like other OS updates. Moreover, many systems no longer receive these updates from the manufacturer, or the firmware is no longer supported, which can lead to an ongoing vulnerability requiring a different mitigation strategy.

Following the vulnerability disclosure in May 2017, the Electronic Frontier Foundation (EFF) has called for Intel to provide a way for users to disable ME. The privacy group cautioned that without a disabling mechanism and greater transparency from Intel, Intel chips might not be safe to use in critical-infrastructure systems.

MINIX in the Mix

Where does the MINIX OS come in? Intel chips that run the AMT software are running it on an obscure OS called MINIX. MINIX is a closed-source variation of the open-source operating system MINIX v3. The latter was created for educational purposes by its official creator who publicly addressed Intel to explain some of its features and indicated he was not made aware of the eventual use of MINIX in Intel chips.

On Intel chipsets, MINIX is the underlying OS that runs a software stack, which includes networking and a web server. Since this OS is part of the chip, most users may not be aware of this and may not be able to access, update or patch it.

MINIX resides on the hardware and runs on one of the most privileged, barebones levels of the endpoint, on Ring minus 3. It runs on three separate x86 cores on modern chips where it operates:

  • TCP/IP networking stacks (on network layers 4 and 6);
  • File systems;
  • Drivers (disk, net, USB, mouse); and
  • Web servers.

Since it’s a closed-source project, that MINIX version has remained less familiar. One of the issues security teams could grapple with is that having MINIX on the device can run the risk of it becoming a Pandora’s box at the hands of malicious actors who may discover latent vulnerabilities over time, further affecting the security of that entire stack.

Is There a Way to Disable the Intel ME?

A question raised in view of these issues is whether it is possible to disable the Intel ME to prevent possible compromise. Some information published in August 2017 points to such possibility, which is nonetheless very manual and risky.

The researchers that investigated the ME vulnerability discovered a link to a U.S. government program called the HAP – “High Assurance Platform.” HAP is an NSA initiative to define a framework for the development of the next generation of secure computing platforms. These platforms leverage Trusted Computing technologies.

The Positive Technologies researchers understood that the Intel ME firmware code could be disabled on demand in some cases, using a field located in the ME files called reserve_hap. By setting the relevant bit to 1, the ME firmware could be disabled. Intel did confirm that the undocumented HAP mode activation bit is present to support customers participating in the HAP program:

In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the U.S. government’s ‘High Assurance Platform’ program. These modifications underwent a limited validation cycle and are not an officially supported configuration.”

Official Advisories

For information about the CVEs linked with the current vulnerabilities and updates on patching, please access the official advisories:

IBM Update: Find Endpoints Impacted by Intel ME Vulnerabilities in Minutes

IBM BigFix has published an update designed to allow clients to quickly discover endpoints exposed to the Intel ME vulnerability. This capability is available now for all current BigFix clients.

With this new feature, BigFix clients can get accurate, real-time vulnerability information about PCs, servers, ATMs and more — regardless of operating system, location or connectivity.  Instructions on how to use this capability can be found here.

If you’re not a BigFix client and want to learn more, please go to the BigFix website. Click on the blue “Talk to an expert” button on the upper right edge of the page, and you’ll be connected directly to an agent. You can also call toll free: 1-877-257-5227 (Priority code: Security).

What IBM Resources Can I Access for Other Updates?

To follow updates from IBM Security, please check the following X-Force Exchange collections:

 

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today