Intel Patches CPU Bugs Impacting Millions of PCs, Servers

Intel released eight patches for vulnerabilities in remote management software and firmware that could allow local adversaries to elevate privileges, run arbitrary code, crash systems and eavesdrop on communications.

Intel released patches on Monday to protect millions of PCs and servers from vulnerabilities found in its Management Engine, Trusted Execution Engine and Server Platform Services that could allow local attackers elevate privileges, run arbitrary code, crash systems and eavesdrop on communications.

In a security bulletin (INTEL-SA-00086) posted late Monday, Intel said the patches were in response to external researchers who brought several vulnerabilities to its’ attention earlier this year. That external vulnerability notification triggered an internal review of Intel’s own Management Engine, Trusted Execution Engine and Server Platform Services.

Affected are millions devices using Intel processors such as 6th, 7th and 8th Generation Intel Core processors and the chipmaker’s Xeon, Atom, Apollo Lake and Celeron processors, Intel said.

“Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel ME feature, and third party secrets protected by the Intel Management Engine (ME), Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE),” according to the advisory.

Eight CVEs are associated with the vulnerabilities. Those flaws open the door for attackers to impersonate the ME, SPS and TXE, in so doing impact “local security feature attestation validity.” Adversaries could load and execute arbitrary code outside the visibility of the user and operating system or cause a system crash or system instability, Intel said.

“The fact that these critical security gaps have appeared in hardware that can be found in almost every organization globally demonstrates that all businesses need to bear this in mind,” said James Maude, senior security engineer at Avecto. “Vulnerabilities like this are especially dangerous as they can allow the attacker to operate above the operating system and bypass all the traditional security measures.”

Each of the ME, SPS or TXE features are turned on by default and affected CPUs will need to be patched, according to Intel.

Researchers at Positive Technologies are credited for first identifying three bugs (CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707) in Intel CPUs in October. After notifying Intel of their findings, Intel launched its own review of its CPUs and identified five additional bugs.

“Intel ME is at the heart of a vast number of devices worldwide, which is why we felt it important to assess its security status,” said Maxim Goryachy one of the Positive Technologies researchers who found the vulnerabilities. “It sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB.  Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus.”

Intel identified the vulnerabilities as:

CVE-2017-5705 – Multiple buffer overflows in kernel in Intel ME Firmware allowing an attacker with local access to the system to execute arbitrary code.

CVE-2017-5708 – Multiple privilege escalations in kernel in Intel ME Firmware allowing unauthorized processes to access privileged content via unspecified vector.

CVE-2017-5711 & CVE-2017-5712 – Multiple buffer overflows in Active Management Technology (AMT) in ME Firmware allowing attacker with local access to the system to execute arbitrary code with AMT execution privilege.

CVE-2017-5706 – Multiple buffer overflows in kernel in Intel SPS Firmware 4.0 allow attacker with local access to the system to execute arbitrary code.

CVE-2017-5709 -Multiple privilege escalations in kernel in Intel SPS Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.

CVE-2017-5707 –  Multiple buffer overflows in kernel in Intel TXE Firmware 3.0 allow attacker with local access to the system to execute arbitrary code.

CVE-2017-5710 – Multiple privilege escalations in kernel in Intel TXE Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector.

Concerns over the Intel Management Engine have been ongoing for years. In May, Intel patched a critical vulnerability that dated back nine years in the company’s Active Management Technology, which is based on Intel ME. That vulnerability could allow an attacker to gain remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN, and BIOS setup and editing.

In August, Positive Technologies published a report on how the US government can disable ME and the public can’t.

Suspicions date back to 2012 over Intel’s implementation of Active Management Technology (AMT) with some labeling it a “backdoor enabled by default.” A reported flaw identified in June 2016 by researcher Damien Zammit claimed that there was a remotely exploitable security hole in the Intel Management Engine that created a secret backdoor allowing a third party to use undetectable rootkits against Intel PCs. Intel denied such claims.

“We worked with equipment manufacturers on firmware and software updates addressing these vulnerabilities, and these updates are available now. Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible,” Intel said.

Researchers at Rapid7 said pre-patch mitigations should include segmenting off vital server components — especially the management Ethernet ports for those servers — along with introducing extra network and system activity monitoring.

“There are no real workarounds. The only course of action to protect your organization is to patch. Systems that have no patch available will need to be retired/upgraded,” said Bob Rudis, chief data scientist at Rapid7. He added, Intel has setup a tracking page with vendor information and patches, as provided.

“It is vital that organizations take these vulnerabilities seriously and create patching workflows as soon as possible,” he said.

Positive Technologies said it will be releasing more details of its research next month during a session at Black Hat Europe titled “How to hack a turned-off computer, or running unsigned code in Intel management engine“.

Suggested articles