SoylentNews is people
SoylentNews
It's time to update your Management Engine:
Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.
The company has posted a detection tool on its support website for Windows and Linux to help identify systems that are vulnerable. In the security alert, members of Intel's security team stated that "in response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience."
Intel® Management Engine Critical Firmware Update (Intel SA-00086)
U.S. government warns about cyber bug in Intel chips
The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.
The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as 'Management Engine' that shipped with eight types of processors used in business computers sold by Dell Technologies, Lenovo, HP Inc, Hewlett Packard Enterprise and other manufacturers."
Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.
"These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years," said Jay Little, a security engineer with cyber consulting firm Trail of Bits.
The official warning is here. Good luck to everybody! Good luck.
(Score: 5, Insightful) by Anonymous Coward on Thursday November 23 2017, @02:18PM (7 children)
You have an opportunity here to actually neuter the ME in your system such that it is no longer a freedom destroying hardware rootkit. You just have to wait until someone produces a "ME Neuter" project that uses one of these security holes to neuter the damn thing.
But if you do the BIOS upgrade, to patch the ME rootkit, all that will happen is that you'll seal the holes you otherwise could use to neuter the thing, leaving you with an active hardware rootkit remaining in your system.
(Score: 2, Interesting) by Anonymous Coward on Thursday November 23 2017, @02:34PM (2 children)
If that happened you could just load the older image because the ME doesn't have any anti-rollback misfeature as far as I know.
(Score: 4, Funny) by Geotti on Thursday November 23 2017, @03:29PM
Shhhhsh, top giving them ideas!
(Score: 1, Interesting) by Anonymous Coward on Friday November 24 2017, @10:29AM
Hmm, Intel ME, as well as the processor microcode since Skylake *DOES* have anti-rollback logic built-in. It is based on SVNs (security version numbers), there are at least two on the microcode, and two on SGX+AMT+ME.
For the processor microcode, it just disables SGX and other DRM crapware (like Intel TXT) if you rollback (and this is documented). However, this is not as simple as it sounds: it *can* render your box unbootable if you're using BIOS secure mode, until you force-update its FLASH back to the up-to-date microcode.
The microcode can refuse to be downgraded while running. This has always been true, but it has been documented as being actively done only since Skylake (and it depends on internal SVNs, so it might not refuse some downgrades, while refusing others that would cross a SVN boundary). The OS will refuse to do it, though, so people almost never do this anyway (instead, they mod the BIOS).
For the Intel ME, $deity knows what would happen, likely it will reboot the box after 30 minutes if it *really* objects to the downgrade. Hopefully, it just hoses TXT and SGX, but I would not bet on that.
This is done by persisting the SVNs (security version numbers) in the system TPM store, which makes it an utter pain to undo (think: moterboard chipset replacement) -- it is easier to flash whatever up-to-date firmware it wants (might require an SPI flasher if the motherboard refuses to boot). And yes, all of this is documented.
(Score: 0) by Anonymous Coward on Thursday November 23 2017, @05:11PM (3 children)
It's already been produced: https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/ [puri.sm]
(Score: 0) by Anonymous Coward on Thursday November 23 2017, @06:27PM (2 children)
Sortof. The "disable" method used by purism still involves loading and executing proprietary firmware, supplied by Intel, on the ME.
This should be an improvement compared to not disabling it, but still isn't a full solution.
(Score: 2) by frojack on Thursday November 23 2017, @10:11PM (1 child)
Exactly. You still have to load something, and that something has to be signed by intel.
The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor.
No, you are mistaken. I've always had this sig.
(Score: 1, Interesting) by Anonymous Coward on Friday November 24 2017, @04:48AM
This is actually not true. The system will work perfectly fine without any ME firmware loaded ...
... the only problem is, that the ME will reset the processor after 30 minutes if it does not get any firmware.