This site may earn affiliate commissions from the links on this folio. Terms of apply.

8th Gen Intel Core S-series Die

Intel has acknowledged and patched a new suite of security bug affecting its Intel Management Engine. This subsystem controls many low-level capabilities of the SoC, and can be used for features like remote access and Intel's Trusted Execution Engine. The visitor has released a list of 10 vulnerabilities across multiple products that are addressed by recent commuter updates. Potentially affected systems include:

  • sixth, 7th & 8th Generation Intel® Core™ Processor Family unit
  • Intel® Xeon® Processor E3-1200 v5 & v6 Production Family unit
  • Intel® Xeon® Processor Scalable Family unit
  • Intel® Xeon® Processor Due west Family
  • Intel® Atom® C3000 Processor Family unit
  • Apollo Lake Intel® Atom Processor E3900 series
  • Apollo Lake Intel® Pentium™
  • Celeron™ N and J series Processors

That'southward Intel's entire product line dating back to the introduction of Skylake. According to Intel, attackers could impersonate the Intel Management Engine, Server Platform Services, and/or the Trusted Execution Engine, load and execute arbitrary code without the user or OS being enlightened of it, and destabilize or crash a system altogether.

Intel'southward admission of multiple vulnerabilities is likely to raise eyebrows, given the company's previous conduct regarding IME. Intel goes to great lengths to hide exactly how IME works and there'southward no manner for the main x86 chip to even snoop on what the IME is doing (the IME has previously run on an embedded 32-scrap Argonaut RISC cadre, though it's non clear if this is still the case). This means in that location's effectively a second operating system running on every single Intel processor, and there's no way for the user to control information technology or shut it off (disabling the IME on a motherboard with IME enabled volition result in a non-booting system until the adequacy is re-enabled). While a inquiry team did find a way to plough the part off by setting a unmarried bit, they note that actually doing and so could permanently brick a system. Also, it doesn't work until the system has really booted and the main CPU has started. Equally of this writing, Intel has not offered a safe, reliable method for anyone to disable the Intel Direction Engine.

IME-Features

Some of the IME'south capabilities

We've really been finding out more near the IME in the past year than in the last half-decade. A Google software engineer recently confirmed that the organization runs the MINIX 3 operating organization. Google has reportedly been trying to replace proprietary firmware in its ain servers, and the Intel IME has been a stumbling block to that process. Intel has released a detection tool so y'all can check to run into if your system is affected by these issues. Updates will have to be issued by firmware vendors, however, so even if your system is impacted it may non receive a set up in the near future.