A team of security researchers has published a proof-of-concept exploit code for a vulnerability in the Intel Management Engine JTAG.
Last year the same group of experts at Positive Technologies discovered an undocumented configuration setting that disabled the Intel Management Engine.
The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.
For this reason, security experts warned in the past of the risks for Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.
The flaw was patched, but the team composed of Mark Ermolov, Maxim Goryachy, and Dmitry Sklyarov, has devised a walkthrough for accessing the Joint Test Action Group (JTAG) feature implemented in the Intel’s Management Engine (IME).
JTAG feature provides debugging access to the processor via special USB 3.0 debugging connectors.
“A special USB 3.0 debugging connector is also necessary, though those who enjoy hacking hardware can make their own by isolating the D+, D-, and Vcc contacts on a USB 3.0 Type A Male to Type A Male cable.” reported ElReg.
The PoC incorporates the work of Dmitry Sklyarov, another researcher from the company.
The exploitation of the flaw is not simple, it requests the physical access via USB to the device.
In May 2107, security experts discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2017-5689, in the remote management features implemented on computers shipped with Intel Chipset in past 9 years.
The vulnerability affected the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM) and could be exploited by hackers to remotely take over the vulnerable systems.
The Electronic Frontier Foundation asked Intel to provide a way to disable the IME.
In August 2017, the experts from Positive Technologies (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) discovered a way to disable the Intel Management Engine 11 via an undocumented mode.
The researchers discovered that it is possible to turn off the Intel ME by setting the undocumented high assurance platform (HAP) bit to 1 in a configuration file.
The experts discovered that the security framework was developed by the US National Security Agency … yes the NSA!
In November Intel issued a security patch for the JTAG vulnerability (INTEL-SA-00086) and in February 2018 it issued a new update for the fix. The vulnerability allowed an attacker to execute arbitrary and unsigned code by using the PoC code to activate JTAG for the IME core.
The PoC was working on a Gigabyte Brix GP-BPCE-3350C, (Intel Celeron-based compact PC), the experts now note that now it should work on other Intel Apollo Lake-based PCs.
The exploitation of the flaw also requires the availability of the TXE firmware version 188.8.131.527 and a utility called Intel TXE System Tools that is not available only to some of Intel OEM partners.