# Intel Management Engine Patched



## moproblems99 (Feb 12, 2020)

https://threatpost.com/intel-patches-high-severity-flaw-in-security-engine/152794/



> The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.


----------



## thesmokingman (Feb 12, 2020)

Damn, so many flaws...


----------



## R-T-B (Feb 12, 2020)

Not a CPU one this time.  Management Engine.  Reminds me again why all management subsystems are a horrible idea...


----------



## Ferrum Master (Feb 12, 2020)

R-T-B said:


> Not a CPU one this time.  Management Engine.  Reminds me again why all management subsystems are a horrible idea...



Agree...

Funny... if you peek into those pure china Huanan x79 board bios... they have an option to hard disable ME.

I wonder why .


----------



## lexluthermiester (Feb 12, 2020)

It's best to simply not install the software and disable the IME hardware.


----------



## Ferrum Master (Feb 12, 2020)

lexluthermiester said:


> It's best to simply not install the software



You can disable it in device manager or not install it will work still, just like any low level module residing into the bridge, like HPET for example. Software speaks to it in low ring level directly.


----------



## Easo (Feb 12, 2020)

R-T-B said:


> Not a CPU one this time.  Management Engine.  Reminds me again why all management subsystems are a horrible idea...



Corporations love those things, it allows a host of nice features. Sure, they could cut it down on consumer models, though.


----------



## R-T-B (Feb 12, 2020)

Easo said:


> Corporations love those things, it allows a host of nice features. Sure, they could cut it down on consumer models, though.



It allows a host of nice remote management features that have proven less reliable/secure than ideal, but yes.  I'd be really wary of using it longterm.


----------



## lexluthermiester (Feb 12, 2020)

Ferrum Master said:


> You can disable it in device manager or not install it will work still


Incorrect. If the drivers are not installed and management software is missing, there is no attack vector as the flaw is in the software, thus the reason Intel recommends updating their software.


Ferrum Master said:


> just like any low level module residing into the bridge, like HPET for example


That's not how it works.


Ferrum Master said:


> Software speaks to it in low ring level directly.


And if the software is missing, the hardware sits and does nothing.


----------



## R-T-B (Feb 12, 2020)

lexluthermiester said:


> Incorrect. If the drivers are not installed and management software is missing, there is no attack vector as the flaw is in the software, thus the reason Intel recommends updating their software.



The flaw is in the ME firmware, not the driver.  They aren't issuing a driver update to correct this.



lexluthermiester said:


> And if the software is missing, the hardware sits and does nothing.



Not really. That's the whole issue with the management engine and similar systems: They operate as long as they haven't been told not to. To date, that is only possible via Intel ME, and only via undocumented methods.

All the drivers do is give you access to services they provide, they don't stop them from working if you don't load them.


----------



## Khonjel (Feb 12, 2020)

I blame U.S. govt. We all can comprehend why CPU makers need to push remote management systems on consumer platform.


----------



## lexluthermiester (Feb 12, 2020)

R-T-B said:


> The flaw is in the ME firmware, not the driver.  They aren't issuing a driver update to correct this.
> 
> 
> 
> ...


Please review;








						INTEL-SA-00307
					

INTEL-SA-00307




					www.intel.com
				



The vectors of attack require local admin access. If no drivers/software are installed, non-admins can not attack the system through this vulnerability, and remote attacks are not possible.


----------



## moproblems99 (Feb 12, 2020)

lexluthermiester said:


> Please review;
> 
> 
> 
> ...



How did you come to that conclusion from your link?


----------



## Drone (Feb 12, 2020)

I remember back in the day it was possible to deblob ME with me_cleaner but on newer systems it's impossible to remove ME firmware.


----------



## R-T-B (Feb 12, 2020)

lexluthermiester said:


> The vectors of attack require local admin access. If no drivers/software are installed, non-admins can not attack the system through this vulnerability, and remote attacks are not possible.



That has nothing to do with where the vulnerability lies (in firmware), or how the base management engine functions, which is what I was talking about.  I was speaking generically and not catering to this one vulnerability.



Drone said:


> I remember back in the day it was possible to deblob ME with me_cleaner but on newer systems it's impossible to remove ME firmware.



It's not, you can still remove the partitions with other tools, but it's really really hard to truly deblob it without tripping the 30 minute hang timer.  You can turn it off with some hackery pretty easily though.



moproblems99 said:


> How did you come to that conclusion from your link?



It says so deep in the docs.  He's right in regards to this one exclusive vulnerability.

Of course again, it comes down to how one defines "locally authenticated."


----------



## moproblems99 (Feb 12, 2020)

R-T-B said:


> It says so deep in the docs. He's right in regards to this one exclusive vulnerability.
> 
> Of course again, it comes down to how one defines "locally authenticated."



I was more referring to your comments about me functionality and the rest of your entire post.  I am rolling on mobile so navigating some things sucks.

It also says right in the docs it is releasing a firmware patch.

I mean I don't see any embedded links to get further into the docs...are they fudging mobile?


----------



## lexluthermiester (Feb 12, 2020)

R-T-B said:


> That has nothing to do with where the vulnerability lies (in firmware), or how the base management engine functions, which is what I was talking about. I was speaking generically and not catering to this one vulnerability.


I was referring to this vulnerability. RTB, we've been over this before. There are no attacks that can render system control through the IME hardware without a software layer component. Such vulnerabilities reside exclusively within Windows as driver sets for other OS platforms either do not exist or are specifically engineered to prevent unauthorized access through the IME hardware. Additionally, such vulnerabilities can only be access by/through Intel network devices hardwired to the chipset. Network chipsets from other vendors are not vulnerable. Network devices not hardwired to the board are also not vulnerable.

All of the vulnerabilities associated with the IME require that each component of the CSME subsystem platform be both present and functional. If any one component is not present(disabled or not installed), not configured property or is restricted by system policies the vulnerabilities can not be exploited.

If you do not install the hardware drivers in Windows, the vulnerabilities are null.
If you disable the hardware in the Windows device manager, the vulnerabilities are null.
If you do not install the Advanced Management software in Windows, the vulnerabilities are null.
If you do not properly configure or provision the AME, the vulnerabilities are null.
If you do not use the provided(built-on) Intel network connection for network/internet access, the vulnerabilities are null.

The reason Intel lists these vulnerabilities has "High Risk" is because a lot business' and companies do use the IME as intended and properly configured. For us end users, the problem isn't as important because most of us don't use/need the IME. Disabling it in the Device manager, not installing the drivers/software effectively guarantees safely for any attack against the IME.


----------



## R-T-B (Feb 12, 2020)

lexluthermiester said:


> There are no attacks that can render system control through the IME hardware without a software layer component.



I think there are some, but they are so old as to be irrelevant.

I as a security researcher, get my head all worked up over the theoretical rather than the here and now.  Comes with the territory.

The thing that bugs me about the Intel Management engine is it can pretty much snoop on anything it wants once compromised, driver or no driver.  The compromise vector at that point becomes largely irrelevant.


----------



## eidairaman1 (Feb 13, 2020)

MEs should only be LAN/Intranet accessible not WAN/Internet.


----------



## lexluthermiester (Feb 13, 2020)

R-T-B said:


> The thing that bugs me about the Intel Management engine is it can pretty much snoop on anything it wants once compromised, driver or no driver. The compromise vector at that point becomes largely irrelevant.


While that is true, the firmware for the IME resides in the BIOS of the host system and can not be re-written without the knowledge and consent of the system user. Additionally, even if exploited, the IME does not have static ram on die, it has dynamic ram and only a small amount of it. Like system ram, once powered off, the contents are gonesville and the exploit is gone with it. Then even if you manage to exploit the IME and install a package in the firmware, outside Windows the IME can only connect to network adapters it is directly wired to, which will always be an Intel LAN chipset. If that network adapter is not in use by the user, the exploit sits doing nothing.


----------



## R-T-B (Feb 13, 2020)

eidairaman1 said:


> MEs should only be LAN/Intranet accessible not WAN/Internet.



They already are.  Thing is that rule doesn't matter when it's repurposed via some malware, as an example.


----------



## DeathtoGnomes (Feb 13, 2020)

The discussion over IME and its vulnerabilities have been going on for over a decade, it was called something like the NSA spyware chip due to the rumored remote back door. If a patch for it makes big news, its likely there was more patched than was noted, like that back door is working again?.


----------



## Ferrum Master (Feb 13, 2020)

If the backdoor really is, then communicating with HW with direct commands altering the needed memory registers to make a magic pattern and when bridge MCU fetches the key it will wake up. It ain't no rocket science. Driver is not needed for sure.

Sad part.

Why a regulator has not steped in here? It is an optional component, system works without it. It has to be opt in. Alaska AMI allows to set up a proper disable/enable option for it.


----------



## biffzinker (Feb 13, 2020)

Ferrum Master said:


> It is an optional component, system works without it.


Intel's ME is required for initialization of the CPU cores before any booting can take place.


----------



## Ferrum Master (Feb 13, 2020)

biffzinker said:


> Intel's ME is required for initialization of the CPU cores before any booting can take place.



Could you show some documentation? It is kinda the info pushed to us to believe. Why cutting out(HEXEDIT) that region in certain board bios allows them to boot anyways? ME is one thing CPU microcode is different. Also how CPU init is done. The ME in the PCH part is marked often as a core, while it is not, it is a module, the part handling the boot process is a different module. 

For example boot process on certain ASUS boards is handled by their proprietary EPU/ROG engine IC, that interferes with the LPC controller(that's the one waking all system up not ME). It is done because of different HW boot training process, especially when doing OC.


----------



## biffzinker (Feb 13, 2020)

Ferrum Master said:


> Could you show some documentation? It is kinda the info pushed to us to believe.


Earlier versions of ME before v6.0 allowed the whole firmware blob to be disabled.

From Libreboot FAQ:


> ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include “ME Ignition” firmware that performs some hardware initialization and power management. If the ME’s boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.











						Libreboot – Frequently Asked Questions
					

Libreboot – Frequently Asked Questions



					libreboot.org


----------



## Ferrum Master (Feb 13, 2020)

biffzinker said:


> Earlier versions of ME before v6.0 allowed the whole firmware blob to be disabled.



Well it doesn't stop the Chinese even to make in house even X99 boards with no ME present at all or with an option to hard disable it. They are reusing plain AMI bios, with bits mostly from Pegatron. Bios itself is a very modular thing and recently quite well explored. So it is ME7, ME8 and ME9. If I haven't held such funny sight in my own hands I wouldn't believe it also, in my case it is ME7.1. But as RTB said... there are plenty of undocumented things regarding this... ahem cancer. I treat it as a risk. Any secret code without an option to look it and compile yourself and compare is a potential hazard. Prove me wrong.

It also basically proves actually ME is not needed. The 30min limit is an artificial limitation set, it is a countermeasure.


----------



## R-T-B (Feb 15, 2020)

DeathtoGnomes said:


> The discussion over IME and its vulnerabilities have been going on for over a decade, it was called something like the NSA spyware chip due to the rumored remote back door. If a patch for it makes big news, its likely there was more patched than was noted, like that back door is working again?.



Trust me you do want me patches.  There never was any evidence for a backdoor either, people have taken that thing apart three ways if not a dozen more by now.



Ferrum Master said:


> If the backdoor really is,



Ain't.



Ferrum Master said:


> there are plenty of undocumented things regarding this... ahem cancer.



Yeah, indeed.  Mostly out of date binaries in an old minix install. 

It's almost comical.


----------



## DeathtoGnomes (Feb 16, 2020)

R-T-B said:


> There never was any evidence for a backdoor either, people have taken that thing apart three ways if not a dozen more by now.


The tinfoil hat conspiracists (is that even a word?) say there is and its still hidden. Just ask China.


----------



## Ferrum Master (Feb 16, 2020)

Well, it is not as a backdoor like it was made for it, it just has some zero day class exploit to gain the same. Backdoor or known bug, same imho. Thinking that it is flawless and does not have bugs is naive. Was it intentional or not, who knows...

Knowing how buggy things really are recently, those fings pop out like mushrooms after rain. Disabling it would be the most mature option.


----------



## SaltyFish (Feb 17, 2020)

DeathtoGnomes said:


> The tinfoil hat conspiracists (is that even a word?) say there is and its still hidden. Just ask China.


Amazingly, this popped up in the news recently. Looks like that tinfoil hat paid off for China (and Russia).









						Swiss machines 'used to spy on governments for decades'
					

Secret control of a Swiss device enabled the US and Germany to collect classified information, reports say.



					www.bbc.co.uk


----------



## lexluthermiester (Feb 17, 2020)

DeathtoGnomes said:


> conspiracists (is that even a word?)


It is.


----------



## R-T-B (Mar 8, 2020)

Ferrum Master said:


> Well, it is not as a backdoor like it was made for it, it just has some zero day class exploit to gain the same. Backdoor or known bug, same imho. Thinking that it is flawless and does not have bugs is naive.



I'll agree with that.  I do find it hard to believe Intel could so comically naive as they try to appear.



SaltyFish said:


> Amazingly, this popped up in the news recently. Looks like that tinfoil hat paid off for China (and Russia).
> 
> 
> 
> ...



Unrelated to ME.

You see, it's not that they aren't out to get you (in this case, they are), it's that literally EVERYTHING is not out to get you.


----------



## ThrashZone (Mar 8, 2020)

Hi,
Key phase seems to be discarded  


> A privileged user,* with local access*, could exploit the flaw to launch an array of attacks, according to Intel.


----------



## lexluthermiester (Mar 9, 2020)

ThrashZone said:


> Hi,
> Key phase seems to be discarded


That is theorized, it has not been tested yet.

Please refer to the first topic starting at 1:56


----------

