How the Major Intel ME Firmware Flaw Lets Attackers Get ‘God Mode’ on a Machine

How the Major Intel ME Firmware Flaw Lets Attackers Get ‘God Mode’ on a MachineResearchers at Black Hat Europe today revealed how a buffer overflow they discovered in the chip’s firmware can be abused to take control of a machine – even when it’s turned ‘off.’A recently discovered and now patched vulnerability in Intel microprocessors could be used by an attacker to burrow deep inside a machine and control processes and access data – even when a laptop, workstation, or server is powered down.
CyberSecurity Law Introduction 网络安全法宣传视频系列
Researchers who discovered the flaw went public today at Black Hat Europe in London with details of their finding, a stack buffer overflow bug in the Intel Management Engine (ME) 11 system that’s found in most Intel chips shipped since 2015. ME, which contains its own operating system, is a system efficiency feature that runs during startup and while the computer is on or asleep, and handles much of the communications between the processor and external devices.
An attacker would need physical, local access to a victim’s machine to pull off the hack, which would give him or her so-called “god mode” control over the system, according to Positive Technologies security researchers Mark Ermolov and Maxim Goryachy, who found the flaw.
存储有重要数据的电脑设备丢失了,往往人们过度关注设备本身的价值,其实,对于电脑的主人,数据要较设备更有价值,数据的不当外漏可能会给自己带来严重的灾难。
And although Intel issued a security advisory and update for the vulnerability on November 20, Ermolov and Goryachy argue that the fix doesn’t prevent an attacker from using other vulnerabilities for the attack that Intel also patched in the recent ME update, including buffer overflows in the ME kernel (CVE-2017-5705), the Intel Server Platform Services Firmware kernel (CVE-2017-5706), and the Intel Trusted Execution Engine Firmware kernel (CVE-2017-5707).
All the attacker would have to do is convert the machine to a vulnerable version of ME and exploit one of the older vulns in it, they say. Those flaws “have been patched by Intel through its latest firmware release, but if an attacker has write access to the Management Engine region, they can downgrade to an older, vulnerable version of Management Engine and exploit a vulnerability that way,” Goryachy told Dark Reading.
“Unfortunately, it’s not possible to completely defend against this [buffer overflow] flaw” in the Intel ME, he says.
Intel OEMs can mitigate such attacks by turning off the manufacturer mode of the chip, he says. That way, they “make sure that a local vector attack … is not possible,” notes Goryachy.
How the Attack Works

An attacker would need access to the “write” feature in ME, which is part of the SPI-flash chip that contains the firmware for ME and the BIOS, according to the researchers. He or she would then rewrite the flash and run a buffer overflow exploit, which would give him or her access to the ME.
“An attacker will have almost full control at the target machine, with access to memory, USB devices, and the network,” Goryachy  says. “With this, an attacker could decrypt an encrypted hard disk of someone using Microsoft Bitlocker, or access content protected by DRM [Digital Rights Management], or intercept all activity on the PC, such as viewing what’s on the screen, intercepting what’s typed on the keyboard, and accessing data stored on disks.”
It’s up to Intel’s OEMs to issue firmware updates, and Intel in its security advisory last month urged customers to check with their system OEMs for the updates. Enterprises also can use the open-source CHIPSEC utility to check for BIOS configuration errors, Goryachy says, and update to the latest version of the BIOS.
The Intel processors affected by the flaw are: 6th, 7th & 8th Generation Intel Core; Xeon E3-1200 v5 & v6 Product Family; Xeon Scalable Family; Xeon W Family; Atom C3000 Family; Apollo Lake Intel Atom E3900 series; Apollo Lake Intel Pentium; and CeleronG, N and J series.
This is the second major firmware vulnerability issue for Intel this year. In early May, the company disclosed a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010.
“Over the past 12 years, only two vulnerabilities allowing the execution of arbitrary code on Management Engine have been found,” Goryachy says. “The AMT vulnerability only allows an attacker to bypass authentication, while the vulnerability Positive Technologies discovered enables an attacker to obtain ‘god-mode capabilities,’ making this new flaw much worse than the other.” 
Related Content:
6 Personality Profiles of White-Hat Hackers
The Long Tail of the Intel AMT Flaw
Secure Wifi Hijacked by KRACK Vulns in WPA2
7 Hardware & Firmware Hacks Highlighted at Black Hat 2017
积极采用互联网的创新技术会让组织受益无穷,不过,针对任何创新的技术应用,我们都要首先进行风险评估,然后提供消除风险或降低风险的建议和措施,这些措施中,加强安全意识培训最有成效,因为大多数安全问题都和使用者有关。

猜您喜欢

网络信息安全小调
信息安全员工手册《信息安全红宝书》
网络安全法普法宣传 004《网络安全法》的突出亮点
乡村题材公益电影《一家两口》将开机
INFORMACIONYARTE TOP-CONSUMER-INSIDER
《中国互联网定向广告用户信息保护行业框架标准》的影响力前瞻