Tuesday, November 28, 2017

Intel's "Management Engine"

Back in May Erica Portnoy and Peter Eckersley, writing for the EFF's Deep Links blog, summed up the situation in a paragraph:
Since 2008, most of Intel’s chipsets have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. ... there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.
Recent events have pulled back the curtain somewhat and revealed that things are worse than we knew in May. Below the fold, some details.

Concern about the ME goes back further. Sparked by a talk given at the Chaos Computer Conference by [Joanna Rutkowska] of the Qubes OS project, back in January 2016 Brian Benchoff at Hackaday wrote:
Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.
The EFF's post was a reaction to the discovery of a vulnerability in one of the modules that run on the ME, Intel's Active Management Technology (AMT) admin tool. Chris Williams at The Register explains:
Intel provides a remote management toolkit called AMT for its business and enterprise-friendly processors; this software is part of Chipzilla's vPro suite and runs at the firmware level, below and out of sight of Windows, Linux, or whatever operating system you're using. The code runs on Intel's Management Engine, a tiny secret computer within your computer that has full control of the hardware and talks directly to the network port, allowing a device to be remotely controlled regardless of whatever OS and applications are running, or not, above it.

Thus, AMT is designed to allow IT admins to remotely log into the guts of computers so they can reboot a knackered machine, repair and tweak the operating system, install a new OS, access a virtual serial console, or gain full-blown remote desktop access via VNC. It is, essentially, god mode.

Normally, AMT is password protected. This week it emerged this authentication can be bypassed, potentially allowing miscreants to take over systems from afar or once inside a corporate network. This critical security bug was designated CVE-2017-5689. While Intel has patched its code, people have to pester their hardware suppliers for the necessary updates before they can be installed.
The vulnerability was embarrassing:
AMT is accessed over the network via a bog-standard web interface: the service listens on ports 16992 and 16993. Visiting this with a browser brings up a prompt for a password, and this passphrase is sent using standard HTTP Digest authentication: the username and password are hashed using a nonce from the AMT firmware plus a few other bits of metadata. This scrambled response is checked by the AMT software to be valid, and if so, access is granted to the management interface.

But if you send an empty response, the firmware is fooled into thinking this is correct and lets you through.
Intel patched it, but it took a while for the patch to filter through to the system vendors and to get installed on the millions of vulnerable CPUs in the field. Meanwhile, an incredible number of systems were vulnerable to being remotely pwned.

Then, in late September Richard Chirgwin at The Register reported that:
Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake+”.
For those whose vendors haven't pushed a firmware patch for AMT, in August Positive Technologies discovered how to switch off Management Engine.
The company's researchers Mark Ermolov and Maxim Goryachy discovered is that when Intel switched Management Engine to a modified Minix operating system, it introduced a vulnerability in an unspecified subsystem.

Because ME runs independently of the operating system, a victim's got no way to know they were compromised, and infection is “resistant” to an OS re-install and BIOS update, Ermolov and Goryachy say.
More details emerged two weeks ago:
Positive has confirmed that recent revisions of Intel's Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine. ... There have been long-running fears IME is insecure, which is not great as it's built right into the chipset: it's a black box of exploitable bugs, as was confirmed in May when researchers noticed you could administer the Active Management Technology software suite running on the microcontroller with an empty credential string over a network. 
Positive discovered that:
since Skylake, Intel's Platform Controller Hub, which manages external interfaces and communications, has offered USB access to the engine's JTAG interfaces. The new capability is DCI, aka Direct Connect Interface.

Aside from any remote holes found in the engine's firmware code, any attack against IME needs physical access to a machine's USB ports which as we know is really difficult.
Google's Ronald Minich reported that running on the ME was a well-known open source operating system, MINIX:
And it turns out that while Intel talked to MINIX's creator about using it, the tech giant never got around to saying it had put it into recent CPU chipsets it makes.

Which has the permissively licensed software's granddaddy, Professor Andrew S. Tanenbaum, just a bit miffed. As Tanenbaum wrote this week in an open letter to Intel CEO Brian Krzanich:
The only thing that would have been nice is that after the project had been finished and the chip deployed, that someone from Intel would have told me, just as a courtesy, that MINIX was now probably the most widely used operating system in the world on x86 computers. That certainly wasn't required in any way, but I think it would have been polite to give me a heads up, that's all.
Google isn't happy about this:
What’s concerning Google is the complexity of the ME. ... The real focus, though, is what’s in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. ... An OS full of latent capabilities to access hardware is just giving those people more room to be creative. The possibilities of what could happen if attackers figure out how to load their own software onto the ME’s OS are endless. Minnich and his team (and a number of others) are interested in removing ME to limit potential attackers’ capabilities.
And, as one should have expected, once Intel took a look at the problem they found it was much worse than initially reported:
Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.
Google, and anyone running a data center, clearly needs an equivalent of the remote access capabilities AMT provides. For the rest of us, Purism Librem Laptops Completely Disable Intel’s Management Engine
“Disabling the Management Engine, long believed to be impossible, is now possible and available in all current Librem laptops, it is also available as a software update for previously shipped recent Librem laptops.” says Todd Weaver, Founder & CEO of Purism.
Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. Purism, because it runs coreboot and maintains its own BIOS firmware update process has been able to release and ship coreboot that disables the Management Engine from running, directly halting the ME CPU without the ability of recovery.
What does all this mean? It means physical security of "Intel inside" computers is really important, since they are all vulnerable to a really hard to detect version of the "Evil Maid Attack":
"Evil maid" attacks can be anything that is done to a machine via physical access while it is turned off, even though it's encrypted. The name comes from the idea that an attacker could infiltrate or pay off the cleaning staff wherever you're staying to compromise your laptop while you're out.
Since effective physical security for laptops is impossible, this means that any network to which laptops can be connected has to assume that one of them may be infected at a level that cannot be detected by any software running on the CPU, and this infection may be a threat to other machines on the network.
Although I didn't know about the ME issues when I crowdfunded [ORWL], it is a good reason for doing so.


David. said...

More details from Positive Technologies on Intel's ME vulnerability reported by Thomas Claburn at The Register:

"The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.

They claim to have employed a generic technique to bypass the stack canary, a value written to memory to catch overflows via change detection, thereby allowing them to run executable code using Return Oriented Programming."

He also reports on the reaction, including:

"Hardware vendors Dell, Purism, and System76 are now offering gear with Intel's ME disabled. And Google has been working on NERF (Non-Extensible Reduced Firmware), an open source software system based on u-root that replaces UEFI and the Intel ME with a small Linux kernel and initramfs (which mount the root file system)."

David. said...

Intel is probably violating copyright by distributing Minix in the ME reports Fredrick Ohrstrom:

"For recent Intel CPUs, security researchers have shown that the remote management software is probably running its own operating system based on Minix 3 which is released under a Free Software licence. This license, like many other Free Software licenses, require a legal notice to be given to the recipient when the software is distributed. Alas, it seems like Intel has not done so and as a result the distribution of Minix 3 inside the recent Intel CPUs could be copyright infringement."

David. said...

Intel is working to further harden the Management Engine firmware:

"patches to kill off the security holes in the code are gradually being made available to organizations and people to download and install. Unfortunately, though, the ME's reliance on writeable firmware has meant any fixes can be reversed. Thus, it is possible for miscreants to reprogram flash chips on the motherboard to undo any changes.

It's pretty much game over if you can gain enough physical access to a machine to rewrite its solid-state storage, of course. However, it may be possible for Intel to thwart tools – such as me_cleaner – that forcibly neuter the Management Engine in later revisions of its firmware. And it may be impossible to roll back the firmware to a version that can be nuked."


"starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, "will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN."

David. said...

"Cfir Cohen, a security researcher from Google's cloud security team, on Wednesday disclosed a vulnerability in the fTMP of AMD's Platform Security Processor (PSP), which resides on its 64-bit x86 processors and provides administrative functions similar to the Management Engine in Intel chipsets." reports Thomas Claburn for The Register. So AMD's version of the Management Engine has vulnerabilities too.

David. said...

"Security shortcomings in Intel's Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers. ... To sidestep the password prompts, all an attacker needs to do is power up the target machine, and press CTRL+P during boot. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password "admin", as this is most likely unchanged on most corporate laptops." writes John Leyden at The Register.