In its ongoing exploration of Intel’s Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.
The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.
The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.
In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.
“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” explain Goryachy and Ermolov. “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”
Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn’t available to the public. It’s intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).
In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.
“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.
And because it turns out that device makers may not disable Manufacturing Mode, there’s an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.
At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.