/ notes / ... / 1130.1fc0.html

Detecting the Intel Management Engine (ME) vulnerability

Guilherme Gondim

Source
Phoronix

Researchers has identified security vulnerabilities on Intel Management Engine (Intel ME) that could potentially impact certain PCs, servers, and IoT platforms.

There is now a Linux-compatible detection tool released by Intel for confirming ME vulnerabilities (also available for MS Windows). If you are affected, that is the usual output you get from the GNU/Linux’s command-line tool:

$ sudo python ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Sc
--- Host Computer Information ---
Processor Name: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
OS Version: debian

--- Intel(R) ME Information --
Engine: Intel(R) Management Engine
Version: 11.0.0.1205
SVN: 1

--- Risk Assessment ---
Based on the analysis performed by this tool: This system is vulnerable.

Explanation:
The detected version of the Intel(R) Management Engine firmware is considered
vulnerable for INTEL-SA-00086. Contact your system manufacturer for support 
and remediation of this system.

For more information refer to the SA-00086 Detection Tool Guide or the Intel
security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Patching

Check with your system manufacturer for updated firmware. You will find a collection of resources from system/motherboard manufacturers at https://www.intel.com/content/www/us/en/support/articles/000025619/software.html.

If your manufacturer provide only Windows-based tools to address the issue, you may opt for a Windows “to go” installation on an USB drive. You can build one using a software called Rufus on any Windows (virtual) machine.

Going further…

“Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can’t be ignored.” — Leah Rowe of GNU Libreboot

Intel Management Engine (ME) is a control hub for your machine1, 2 and it has links with the U.S. National Security Agency (NSA)3. You should consider get rid of it completely. The patches recently distributed by Intel and computer manufacturers will only address known vulnerabilities, described in the security advisory INTEL-SA-00086.

Although it is impossible to completely disable ME on modern Intel-based platforms, Positive Technologies security researchers discovered an “undocumented mode that can be used to disable the main Intel ME functionality at an early stage” and security and Linux-focused manufacturers such as System76 and Purism are disabling ME on theirs computers.