Worries over Intel’s Management Engine grow after new flaws found
By John E Dunn, Sophos
November 24, 2017
What is the world’s most widely-used operating system on new PCs?
In all probability, it’s the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that’s built into all recent Intel computers.
Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.
But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.
The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.
This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.
Intel lists four ME vulnerabilities (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.
Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.
Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.
For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.
Users looking for a quick fix shouldn’t hold their breath.