Intel chip flaw in Management Engine could give hackers 'insidious' control over millions of devices

Security researchers have discovered severe bugs in Intel's remote administration feature called Management Engine that could give hackers "insidious" control over millions of PCs, servers and processor platforms. The chip-making giant issued a security alert listing several vulnerabilities in ME, the remote server management tool Server Platform Services and its hardware authentication tool Trusted Execution Engine.

The processors at risk include 6th, 7th and 8th generation Intel Core processors as well as multiple Xeon, Atom and Celeron products.

Intel said it found the vulnerabilities after conducting an in-depth security audit prompted by external researchers. It also released a Detection Tool for Windows and Linux administrators to check whether their systems are vulnerable.

Mark Ermolov and Maxim Goryachy of Positive Technologies first uncovered the critical vulnerability in the ME firmware that Intel says would have allowed an attacker local access to covertly execute arbitrary code, gain access to privileged system information and potentially compromise millions of computers.

The researchers will present more details on their findings at the upcoming Black Hat conference in December.

"Intel ME is at the heart of a vast number of devices worldwide, which is why we felt it important to assess its security status," Goryachy told ThreatPost. "It sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB. Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus."

If exploited, the vulnerabilities could also cause instability or system crashes.

Bob Rudis, chief data scientist at cybersecurity firm Rapid7, said the "insidious" vulnerabilities could bypass key security features that are supposed to run as a system boots up.

"It gives someone virtually complete control over events," Rudis told The Hill. "The computer wouldn't even have to be on to use it, just plugged in."

Nearly every recent Intel chip is impacted by the ME vulnerability, affecting millions of PCs, servers and IoT devices across the globe.

"We worked with equipment manufacturers on firmware and software updates addressing these vulnerabilities, and these updates are available now," Intel said in a statement. "Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible."

Although Intel can address the issue by providing updates to manufacturers, individual equipment manufacturers and vendors will have to release their own updates for their customers. This means the issue will be patched at different times and will vary based on the system and manufacturer.

According to Intel's list of different manufacturers' firmware updates, only Lenovo has offered one so far.

The Department of Homeland Security has also issued an advisory urging computer makers to review the warning from Intel and roll out software updates and advice to mitigate the threat.

The vulnerabilities affect the following Intel products:

Dell has issued a statement listing more than 100 affected systems including various Inspirion, AlienWare, Latitude, Vostro, Precision and OptiPlex systems. The company said the roll-out dates for new firmware are still to be determined.

HP has posted patches to its website while Lenovo released its own advisory as well saying new firmware is expected to be available by 23 November.