In early July, Intel issued security advisories SA-00112 and SA-00118 regarding fixes for vulnerabilities in Intel Management Engine. Both advisories describe vulnerabilities with which an attacker could execute arbitrary code on the Minute IA PCH microcontroller.
The vulnerabilities are similar to ones previously discovered by Positive Technologies security experts last November (SA-00086). But that was not the end of the story, as Intel has now released fixes for additional vulnerabilities in ME.
CVE-2018-3627, the vulnerability at issue in advisory SA-00118, is described as a logic bug (not a buffer overflow) that may allow execution of arbitrary code. Ease of exploitation makes this vulnerability more dangerous than the one in SA-00086, which was locally exploitable only in case of OEM configuration errors; instead, an attacker simply needs local access.
Things are even worse with CVE-2018-3628, which is described in advisory SA-00112. This vulnerability enables full-blown remote code execution in the AMT process of the Management Engine. Moreover, all signs indicate that—unlike CVE-2017-5712 in advisory SA-00086—attackers do not need an AMT administrator account.
Intel characterizes the vulnerability as “Buffer overflow in HTTP handler” allowing remote code execution without authorization. This is the very scenario that used to be the stuff of nightmares for Intel users—and now has come to pass. This vulnerability is similar to CVE-2017-5689, which was found in May 2017 by Embedi, but with even worse consequences.
Perhaps the only consolation is that for CVE-2018-3628, Intel says that exploitation is possible only from the same subnet.
Positive Technologies plans to study these vulnerabilities more closely in future research. Notably, Intel indicates the same “resolved” firmware versions for the vulnerabilities as for SA-00086. In other words, it is possible that these latest vulnerabilities were found during security review of Intel ME code at the same time as SA-00086, but Intel delayed publication in order to head off the alarm and disruption that could have followed from packing such a large number of critical vulnerabilities in SA-00086.