The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file. Now the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.
Even when disabled from the BIOS settings, Intel ME is active: the only way to be sure it is disabled is to remove its firmware from the flash chip.” reads the project description.
In short, Intel ME is an irremovable environment with an obscure signed proprietary firmware, with full network and memory access, which poses a serious security threat. The main component of Intel ME is Intel AMT, and I suggest you to read this Wikipedia page for more information about it. “Intel ME is a coprocessor integrated in all post-2006 Intel boards, for which this Libreboot page has an excellent description. The vulnerability affects the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM) and could be exploited by hackers to remotely take over the vulnerable systems.Īn unofficial workaround dubbed ME Cleaner can bypass Intel ME, but it is not able to turn off it.
In May, security experts discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2017-5689, in the remote management features implemented on computers shipped with Intel Chipset in past 9 years. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it. The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.įor this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities.