Security Central: The Intel on Intel
Last month, Intel had quite the announcement. The technology giant admitted that most of the CPU chips it has sold in recent years were chock full of security holes due to old software it installed in its Management Engine (ME) feature, which enforces digital rights management (DRM) restrictions. Now, several PC makers are offering to sell PCs with the management engine disabled.
As of a few days ago, these computer vendors–Linux-specific OEMs System76 and Purism and top-tier PC builder Dell–are now offering a way to buy products without Intel ME or have stated they’ll deliver firmware updates that disable the technology completely.
Let’s get down to the dirty details. Intel Management Engine is a technology that is essentially a secret operating system inside the main Intel CPU. The ME component runs separately from the user’s main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and other components.
If an attacker manages to get in there and exploits these flaws, they are granted unlimited power and control over the Intel ME and thereby over the whole computer. The kicker? They can do it completely off the radar, and the OS is none the wiser. Good stuff.
Linux and Windows users are (sort of) in luck – Intel has released a detection tool that can detect if their machine is vulnerable. The company also has a page that provides links to support pages from each vendor, as they confirm vulnerable machines.
Intel has come out and admitted that the following CPUs are vulnerable:
- 6th, 7th, and 8th generation Intel Core Processor Family
- Intel Xeon Processor E3-1200 v5 and v6 Product Family
- Intel Xeon Processor Scalable Family
- Intel Xeon Processor W Family
- Intel Atom C3000 Processor Family
- Apollo Lake Intel Atom Processor E3900 series
- Apollo Lake Intel Pentium Processors
- Intel Celeron G, N, and J series Processors
So what does this mean for VARs still slinging hardware? There are firmware patches available for most of these chips, but there is still the possibility that more security holes will be discovered. That’s why some vendors are ditching Intel ME.
Of course, Intel does not recommend this. “The ME provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management,” sain an Intel spokesperson in a statement. “Since the described configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.”
Alright well… of course you don’t, Intel. But think about it, guys–the idea of precious data floating around on an operating system that’s full of holes probably doesn’t thrill most folks. Just a guess. However, the alternative isn’t awesome either. Since Intel won’t support these configurations, organizations may not want to chance it. It’s a classic case of “damned if you do, damned if you don’t”–which doesn’t really help VARs and MSPs when they’re trying to decide what to recommend to their clients.
“The vulnerabilities recently disclosed by Intel represent some of the most severe threats information technology has faced in years,” says Morey Haber, vice president of technology at BeyondTrust. “These are not due to the severity of the vulnerabilities themselves but the inability to assess and remediate actual assets with these flaws using established IT practices like vulnerability and patch management.”
Haber goes on to say that the flaws themselves are deep within the instruction sets of affected Intel CPUs and management tools, and they are physically limited in how a patch can be applied. Software patches can be applied to the operating system and firmware to reduce the risk, but the flaw can truly only be mitigated by fixing the CPU itself. This may prove near impossible for IoT devices, legacy systems, and other ICS controls using embedded Intel chips too.
“Without a gauge of what to fix, end users can only assume to patch everything,” says Harber. “OS layer patches and firmware is available for Lenovo, Dell, and a few other vendors but do not expect to see fixes for aftermarket products anytime soon.”