A new set of Intel Management Engine vulnerabilities confirmed
According to Intel, the Management Engine subsystem is needed to provide the best performance possible to the computers powered by the company's chips, its tasks running during the boot process and while the computer is running, as well as during its sleep periods. However, various security firms and experts claim that the Intel Management Engine is a serious privacy concern, some going as far as calling it a backdoor. While Intel always denied the backdoor part, the company has recently confirmed multiple vulnerabilities of the subsystem.
The Intel Management Engine apparently runs Minix 3 and, last month, security firm Positive Technologies revealed that a malicious user can gain full remote access to any computer with IME onboard as long as they can access one of the USB ports of those computers. As it usually happens in such cases, they did not completely uncover how to carry out such an attack but said enough for everyone to figure out that this is not just a minor security flaw.
Yesterday, Intel released a new security advisory that comes with the following highlights:
- bugs in the Trusted Execution Engine hardware authentication tool
- new vulnerabilities in the Management Engine subsystem
- bugs in the Server Platform Services server management tool
In addition to the details on the security flaws discovered after the audit that Intel carried out due to the recent discoveries by third parties like Positive Technologies, the company also published a Detection Tool that Windows and Linux users can use to check if the new vulnerabilities impact their systems or not.
These new vulnerabilities can lead to security issues for more than just desktop PC users since the Intel Management Engine also runs on servers, IoT devices, and notebooks. Until now, it seems that only Lenovo managed to come up with firmware updates to take care of these problems (check this page for updates).