Intel has released firmware updates for many of its processors to fix eight high-risk flaws that can put systems at risk of complete compromise.
The flaws are located in low-level technologies found in the Intel Management Engine (ME), the Intel Trusted Execution Engine (TXE) and the Intel Server Platform Services (SPS). By exploiting the vulnerabilities, attackers can install persistent rootkits that run outside of the many operating systems or can cause systems to crash.
The privilege escalation flaws impact PCs, servers and even IoT platforms because the affected subsystems are found in several generations of CPUs. According to the Intel advisory, the affected processor families are: the 6th, 7th and 8th Generation Intel Core Processor Family, the Intel Xeon Processor E3-1200 v5 & v6 Product Family, the Intel Xeon Processor Scalable Family, the Intel Xeon Processor W Family, the Intel Atom C3000 Processor Family, the Apollo Lake Intel Atom Processor E3900 series, the Apollo Lake Intel Pentium and the Celeron N and J series processors.
The flaws range from 6.7 (moderate) to 8.2 (high) on the CVSS severity scale, but those affecting Intel ME are particularly dangerous because this CPU component has its own mini operating system that runs completely independent from the main OS. Intel ME has sometimes been described as a backdoor because it’s completely invisible to the user and has full control over the main OS.
“AMT/ME are powerful components, enabling remote administration, remote display viewing/scraping, injecting human interface device (HID) events, disabling the secure boot configuration and a host of other operations that do not require the main operating system to be running or even the main system to be powered on (just plugged in),” researchers from security firm Rapid7 said in an analysis of the flaws.
The problem is that the firmware updates released by Intel are not directly available for download to users from the company’s website. Rather, they must be obtained from OEMs, which means that users now have to wait for their computer or server manufacturers to release the patches.
Intel did release a tool for Windows and Linux that can help users determine if their systems are affected by any of the eight flaws. The company also maintains a support article with links to vendors that have released firmware updates; so far, the page lists only Dell and Lenovo.
The flaws are not trivially to exploit and most of them require local system access, according to Rapid7. However, in some cases, the flaws can be exploited over the network by taking advantage of the remote administration functionality of the affected subsystems, especially if the management Ethernet ports are directly exposed to insecure network segments.
“Once attackers develop repeatable exploits, they will be able to (fairly easily) elevate privileges, run arbitrary code in a powerful context, crash your systems, eavesdrop on communications and call into question the integrity of virtually every bit of data or computation that is handled by a system that still has these vulnerabilities in place,” the Rapid7 researchers warned.
Because the number of enterprise laptops and servers affected by these flaws is most likely in the millions, and because Intel ME cannot be disabled on affected systems, dealing with the flaws will prove problematic for many companies, especially large enterprises.
According to Rapid7, the action plan should include: using network scanners to build an inventory of systems across all network segments, running the Intel utility on those systems and building a database of affected machines, isolating the remote management ports on a dedicated management network that requires access by VPN with multi-factor authentication, monitoring when vendors release firmware updates and creating a patch deployment plan and scheduling system reboots. Finally, updated systems should be tested again to ensure the successful deployment of the patches.
“If you have kit you can’t patch, you need to budget for new kit and allocate project time for new deployments,” the Rapid7 researchers said. “You cannot let systems on your network with these weaknesses in place. If you must, you need to monitor them more closely and segment them off as much as possible.”
It is only a matter of time before exploits for these flaws appear in the wild, so patching affected systems cannot be postponed for months, the researchers said. “You need to start operations planning now. Literally, today.”