ME Analyzer v1.70.0 released

ME Analyzer v1.70.0 adds full parsing & unpacking of all Intel CSE ME/TXE/SPS File Systems (MFS/AFS) based on the amazing initial research by @_Dmit. MEA can now show the FS state and log all low-level details. General CSE firmware analysis also improved.

https://github.com/platomav/MEAnalyzer

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html

Intel ME JTAG PoC for INTEL-SA-00086

Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version 3.0.1.1107).[…]

https://github.com/ptresearch/IntelTXE-PoC

 

Intel-SA-00118: Intel Converged Security Management Engine (Intel CSME) 11.x issue

Re: https://firmwaresecurity.com/2018/07/11/intel-releases-a-dozen-new-security-advisories/

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience. As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.[…]

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00118.html

PS: I guess ME is now CSME now?

Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]

http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849

PT Security: new Intel ME research

https://github.com/ptresearch

https://github.com/ptresearch/IntelME-Crypto/blob/master/Intel%20ME%20Security%20keys%20Genealogy%2C%20Obfuscation%20and%20other%20Magic.pdf

Fruct20: UEFI BIOS and Intel ME attack vectors and vulnerabilities

UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities
Alexander Ogolyuk, Andrey Sheglov, Konstantin Sheglov
Saint Petersburg National Research University of Information Technologies, Mechanics and Optics
St. Petersburg, Russia

We describe principles and implementation details of UEFI BIOS attacks and vulnerabilities, suggesting the possible security enhancement approaches. We describe the hidden Intel Management Engine implementation details and possible consequences of its security possible discredit. Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of “invulnerable” malicious applications. We highlight the base principles and actual state of Management Engine (which is a part of UEFI BIOS firmware) and its attack vectors using reverse engineering techniques.

From conclusion:
* Disable all SMM code (if possible by patching or other methods)
* Disable any external firmware components (PCI boot)
* Disable S3 Bootscript (after sleep mode)
* SMI transaction Monitor extensive usage (to find malicious SMI calls)
* Enable Secure Boot mode
* Enable BIOS password
* Extensive reverse engineering of vendor’s firmware samples to find and report vulnerabilities
* Code reviews (of open sourced UEFI based systems like Tiano-Core)

https://fruct.org/publications/abstract20/files/Ogo.pdf

https://www.fruct.org/publications/abstract20/files/Ogo.pdf

https://www.fruct.org/program20

https://www.fruct.org/sites/default/files/files/conference20/FRUCT20_Program.pdf

ME Analyzer 1.48.0 released

https://github.com/platomav/MEAnalyzer

PTSecurity: how to run code in Intel ME

Thursday, January 18, 2018
How to hack a disabled computer or run code in Intel ME
At the recent Black Hat Europe conference, Positive Technologies researchers Mark Ermolov and Maxim Goryachy spoke about the vulnerability in Intel Management Engine 11 , which opens up access to most of the data and processes on the device. This level of access also means that any attacker exploiting this vulnerability, bypassing traditional software-based protection, will be able to conduct attacks even when the computer is turned off. Today we publish in our blog the details of the study.[…]

http://blog.ptsecurity.ru/2018/01/intel-me.html

https://translate.google.com/translate?hl=en&sl=ru&u=http://blog.ptsecurity.ru/2018/01/intel-me.html

 

ME Analyzer 1.42.0 released

https://github.com/platomav/MEAnalyzer

F-Secure: new Intel AMT security issue

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally. The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”[…]

 

Intel ME at CCC

It appears PTSecurity may have a GUI Debugger for Intel ME??

The “Minix Inside” stickers look great, click on the tweet from frdnd.

Hoping CCC staff does the great job they do ever year and get the videos for these events online quickly! 😉

https://twitter.com/frdnd/status/942984718613610496

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8762.html

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8782.html

PS: Of course, this isn’t all that is happening at CCC. There are multiple other interesting talks, eg:

 

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9111.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9056.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9205.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8725.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9207.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8920.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8950.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9237.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9202.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9195.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8784.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8831.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9159.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9058.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8956.html

 

Intel ME research paper

The Intel Management Engine
This blog post is based on a research paper I wrote for university. Although my work was mainly reading and summarising, I hope this article helps to bring some clarification about the details of the ME. At the bottom, you will also find some sources I used. Please be aware that since I wrote this report until June 2017, a new generation of ME was deployed, the one running the Minix microkernel on a x86 coprocessor. Nevertheless–to understand the development and architecture of the whole concept, it’s good to understand the details up from 2009.[…]

https://bitkeks.eu/blog/2017/12/the-intel-management-engine.html

Pepijn on Apple use of Intel ME

Interesting, Pepijn Bruienne is looking at new Apple firmware, and how it uses Intel ME.