Some Apple laptops shipped with Intel chips in “manufacturing mode”
Apple has secretly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into “manufacturing mode.”
The OS maker fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.
Maxim Goryachy and Mark Ermolov, two researchers from Positive Technologies, spotted the Intel chip misconfiguration –which also received a vulnerability ID of CVE-2018-4251.
The two were hunting bugs in Intel’s Management Engine, an Intel proprietary technology used for remote management operations, which works as a separate chip running on top of actual Intel processor.
While digging around through the tens of ME configuration options, Goryachy and Ermolov spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.
The configuration they eyed was named Manufacturing Mode, and it’s an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME’s remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product.
Goryachy and Ermolov say that devices where this Intel ME Manufacturing Mode has been left enabled can allow attackers to make changes to ME settings, and disable security features to enable other attack vectors.
“By exploiting CVE-2018-4251, an attacker could write old versions of Intel ME (such as versions containing vulnerability INTEL-SA-00086) to memory without needing an SPI programmer or access to the HDA_SDO bridge–in other words, without physical access to the computer,” said the two researchers in a report published today detailing some of these possible exploitation scenarios and their outcome.
Goryachy and Ermolov said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Fortunately, there are ways to test if Intel ME Manufacturing Mode has been left enabled, and there are also ways to turn it off.
The two say that a tool named MEInfo, included with the Intel ME System Tools package, can tell users if the Intel ME chip has been left in Manufacturing Mode.
For cases where Intel ME System Tools is not available for a specific platform, the two also created a Python script that can check the status of Manufacturing Mode.
Instructions on how to use both tools and how to disable Manufacturing Mode [with the help of the FPT (Flash Programming Tool) utility part of the Intel ME System Tools] are available at the bottom of Goryachy and Ermolov’s technical report, here.
Related coverage:
READ MORE HERE