Intel releases firmware update for ME flaw

It’s only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn’t realise were possible in hardware we’d never heard of.

This theme kicked off in January with the Meltdown and Spectre CPU cache-timing flaws (and subsequent variants) and continued last week as users found themselves patching another even more obscure low-level system.

This time, the system was Intel’s component-with-many-names, the Management Engine (ME), AKA the Manageability Engine (ME), and the Converged Security and Manageability Engine (CSME).

A flaw was discovered by researchers at Positive Technologies in the security of two of the four cryptographic keys ME uses to store sensitive data. If this story seems a bit familiar, it is: the same organisation found a previous 2017 weakness in the same Intel ME system, that affected all four keys, which itself capitalised on an even older discovery.

If this is starting to sound involved, what matters is the effect: the ability to compromise and generally mess around with files stored by ME, including the key used to secure the default admin password that protects remote access to ME itself.

Identified as CVE-2018-3655, and with updates now released, the issue affects firmware versions: 11.0 through 11.8.50; 11.10 through 11.11.50; 11.20 through 11.21.51; Intel Server Platform Services firmware version 4.0 (on Purley and Bakerville only); and Intel TXE version 3.0 through 3.1.50.

In its advisory, Intel recommends administrators contact their system or motherboard manufacturer to obtain an update that addresses this vulnerability.

Why ME matters

As previously discussed, ME is a sort of computer-within-the-computer living inside every Intel PC of the last decade, which was put there to make remote troubleshooting easier.

It has its own memory, CPU, and Minix Linux OS, and can remain operational even when a PC is turned off, something that may come as a surprise to many, given how few seem to have heard of it.

With the post-Meltdown world newly aware of the potential for hardware to harbour security issues, chip makers find themselves fixing a flurry of security problems in low-level technology that seemed to be fine for years. The chips are down for companies like Intel, so to speak, so it’s encouraging to see this particular fix taking place so quickly.

Intel recommends that users of Intel CSME, Intel Server Platform Service and Intel Trusted Execution Engine (TXE) update to the latest version.