2

Intel Management Engine (ME) imposes a security risk (see here for example). As I understand ME is a part of Intel vPro. Does having an Intel CPU without vPro support mean ME is not fully functional and hence less vulnerable? I've seen multiple (non-authoritative, not linking here) claims on the Internet that all the recent Intel CPU have ME enabled. I'm confused what having no vPro support actually means regarding ME and related security issues.

raindev
  • 233
  • 1
  • 11

1 Answers1

1

Intel vPro is not a single thing, but is actually a group of several Intel technologies working together to provide a certain set of services. The Intel vPro reference guide lists those technologies (emphasize is mine):

Intel vPro technology is a collection of platform capabilities that support enhanced manageability, security, virtualization, and power efficiency. The key platform capabilities include the following Intel technologies:

  • Intel Turbo Boost Technology for increased performance and power efficiency
  • Intel Virtualization Technology (Intel VT) for Dynamic Virtual Client support and other operating system or application streaming techniques using virtualization
  • Intel Hyper-Threading Technology (Intel HT) for higher performance
  • Intel Active Management Technology (Intel AMT) for greater manageability
  • Intel Anti -Theft Technology (Intel AT) for greater security
  • Intel Trusted Execution Technology (Intel TXT) for greater security
  • Intel Identity Protection Technology (Intel IPT) for enhanced web security

Among these various technologies is the Intel Active Management Technology, which allows system administrator to remotely manage companies computers independently of their location and their state: even computers turned off or computer where the operating system fails to boot can still be managed using this technology.

What happened is that a security researcher found an vulnerability allowing a remote, unprivileged user to take control of this management feature.

As stated in Intel's Security Advisory (emphasize is mine):

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

AMT is part of the Intel's vPro offering and is not available on non-vPro devices like "consumer PCs with consumer firmware" and "Intel servers utilizing Intel® Server Platform Services (Intel® SPS)".

Intel CPUs without vPro support therefore do not seem vulnerable to this attack as they lack the vulnerable firmware.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Wouldn't you mind to expand a bit more on _why_ Intel CPUs without vPro support are not vulnerable? In what category from the emphasised quote these fall? I don't see vPro being mentioned in the advisory. – raindev Sep 23 '17 at 18:09
  • When you said not vulnerable to this attack did you mean the particular example I've or the whole vector of ME related vulnerabilities? – raindev Sep 23 '17 at 18:09
  • @raindev: I've expanded my answer, I hope this answer your question. *"not vulnerable to this attack"* means what it means. It may remain vulnerable to other, unrelated attacks, or even-though unlikely someone may find a way to build a similar attack for instance by pushing a malicious firmware reproducing AMT feature as the first step (again, unlikely). This is the IT Security perpetual race: you're never absolutely and indefinitely safe, but the main thing is that you are not vulnerable to this attack and that no equivalent targeting non vPro CPU has been published yet AFAIK. – WhiteWinterWolf Sep 28 '17 at 09:12
  • thank your for expanding the answer, accepting it now. The only thing left unclear is AMT and ME relationship. As I understand, ME will always be present in the CPU but will lack AMT capabilities if vPro support is not included in a particular model, right? – raindev Sep 28 '17 at 13:19
  • 1
    @raindev: Yes, this my understanding too: AMT is the service and ME the infrastructure around it, without vPro extension there remain only the empty infrastructure. [This page](https://puri.sm/learn/intel-me/) compares them and, by the way, discusses how ME too could be disabled. – WhiteWinterWolf Sep 28 '17 at 15:34