The vulnerability presented by researchers from Positive Technologies at Black Hat Europe Dec. 6 detail a nightmare scenario. The CPU flaw allows malware to reside on nearly any recent Intel-based computer manufactured since at least 2015 so that it’s completely undetectable.
That malware has access to everything on the computer or that passes through the computer, regardless of encryption or other protective technologies. Switching off the computer doesn’t get rid of the malware.
Worse, because such malware would have unrestricted access to the communications infrastructure on the compromised computer, you may not even know when the malware is transmitting your most carefully guarded information to the intruders.
Here’s what’s going on.
Deep inside every recent Intel processor is something called the Management Engine. This is a stand-alone single core 32-bit processor that’s embedded within the larger Intel processor chip. The Management Engine runs a version of MINIX, which is a derivation of Unix. That software is embedded within the processor’s firmware and it starts running when the computer starts up and it keeps running as long as there’s power to the processor.
Note that the Management Engine does not shut down when you press the power button. That’s the part of the computer that stays awake so it knows when you want to turn the computer on again or when it needs to perform other functions that may come to it over the attached network. The only way to actually shut down the Management Engine is to physically remove power from the computer, such as by unplugging it.
Such malware can run while the processor is running, and it can siphon off data while the computer is in use and the chances are that would never be detected.
An Intel spokesperson told eWEEK that the Management Engine does not give access to certain hardware assets in an affected computer, such as the graphics card, disk controller or network interface card. The spokesperson also emphasized that any malware that is successfully installed in the Management Engine can be removed if the software is re-flashed.
Intel has published an alert regarding this vulnerability, labeled Intel-SA-00086, and the company has published a tool that you can run on your systems to see if they’re vulnerable. There are versions of Intel-SA-00086 Detection Tool that you can run on your Windows or Linux system to see if your processor is vulnerable.
If the detection tool confirms that your system is vulnerable, there are a couple of things you can do. The first is to contact the manufacturer of your system (or the motherboard if you built the system in-house) for a repair tool that will reflash the firmware on the processor and replace the Management Engine with one that’s not vulnerable.
The second thing is to guard the systems against physical access. All but one of the specific vulnerabilities requires physical access to the computer to insert any malware. The one that allows remote access, identified as CVE-2017-5712, requires administrative credentials and it won’t work if those aren’t available.
However, according to the Positive Technologies researchers, the Intel Management Engine isn’t protected against being downgraded, which means that a bad guy with physical access to the computer can reflash the firmware with an earlier version of the Management Engine and reinstall the malware.
There are other protective actions you can take, however. Perhaps the most important it to monitor your network traffic for anything that might be either data exfiltration or command and control messages. You can do this by checking your firewall for outgoing traffic that seems out of the ordinary, either because of its destination or origin, or because the traffic content raises a flag, perhaps because of the amount of data being sent off-site.
You can also check your computer’s BIOS to see if there are configuration errors that would allow this vulnerability to be exploited. According to Positive Technologies’ Maxim Goryachy, one of the researchers who presented the vulnerability at Black Hat, “People can use the CHIPSEC utility to check for known mistakes of the BIOS configuration and update to the latest version of BIOS.”
Goryachy said in an email to eWEEK that correctly configured firmware that’s properly deployed will reduce the chances of this vulnerability being used. “In terms of how to protect against these threats, the issue gets more complicated since other exploitation vectors with ‘easier’ conditions may be present. Unfortunately, some vendors make mistakes during configuration, which makes the attack we have described easier to conduct.”
Preventing exploitation of the ME vulnerability is difficult, Goryachy says. “Unfortunately, it’s not possible to completely defend against this flaw, but OEMs can make sure that a local vector attack (exploiting a vulnerability from an Operating System running a malicious program and not being present at the computer physically) is not possible by checking rights in the flash descriptor and ensuring that manufacture mode is turned off.” Manufacturing mode is a setting that allows writing to the Management Engine during the manufacturing process to allow for configuration changes.
Many manufacturers have already issued fixes to their systems, and in many cases those fixes have been sent over the internet out to affected machines for installation. When it happened to my Lenovo ThinkPad, the fix showed up as a flash utility, which was applied automatically once I gave it permission. However, you may need to contact your vendor and request the fix.
Once you’ve applied the fix to the Intel vulnerability, it’s important to make sure your BIOS is kept up to date, because the BIOS can prevent the actions required to insert malware into your processor. It’s also a good management practice.
Editor’s Note: This article has been updated with a statement from Intel about what hardware assets are safe from access by malware installed on the Management Engine and how malware can be eliminated from the engine.