Intel Management Engine

The Intel Management Engine,, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. This issue can be mitigated with the deployment of a hardware device which is able to disconnect all connections to mains power as well as all internal forms of energy storage. The Electronic Frontier Foundation and some security researchers have voiced concern that the Management Engine is a backdoor.
Intel's main competitor, AMD, has incorporated the equivalent AMD Secure Technology in virtually all of its post-2013 CPUs.

Difference from Intel AMT

The Management Engine is often confused with Intel AMT. AMT runs on the ME, but is only available on processors with vPro. AMT gives device owners remote administration of their computer, such as powering it on or off, and reinstalling the operating system.
However, the ME itself has been built into all Intel chipsets since 2008, not only those with AMT. While AMT can be unprovisioned by the owner, there is no official, documented way to disable the ME.

Design

The subsystem primarily consists of proprietary firmware running on a separate microprocessor that performs tasks during boot-up, while the computer is running, and while it is asleep. As long as the chipset or SoC is supplied with power, it continues to run even when the system is turned off. Intel claims the ME is required to provide full performance. Its exact workings are largely undocumented and its code is obfuscated using confidential Huffman tables stored directly in hardware, so the firmware does not contain the information necessary to decode its contents.

Hardware

Starting with ME 11, it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME firmware is stored in a partition of the SPI BIOS Flash, using the Embedded Flash File System. Previous versions were based on an ARC core, with the Management Engine running the ThreadX RTOS. Versions 1.x to 5.x of the ME used the ARCTangent-A4 whereas versions 6.x to 8.x used the newer ARCompact. Starting with ME 7.1, the ARC processor could also execute signed Java applets.
The ME has its own MAC and IP address for the out-of-band management interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol. The ME also communicates with the host via PCI interface. Under Linux, communication between the host and the ME is done via or.
Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub layout. With the newer Intel architectures, the ME is integrated into the Platform Controller Hub.

Firmware

By Intel's current terminology as of 2017, ME is one of several firmware sets for the Converged Security and Manageability Engine. Prior to AMT version 11, CSME was called Intel Management Engine BIOS Extension.

Management Engine – mainstream chipsets
Server Platform Services – server chipsets and SoCs
Trusted Execution Engine – tablet/embedded/low power

It was also found that the ME firmware version 11 runs MINIX 3. Management of the ME modules for provisioning inside the UEFI is done via a tool called Intel Flash Image Tool.

Modules

Active Management Technology
Intel Boot Guard and Secure Boot
Quiet System Technology, formerly known as Advanced Fan Speed Control, which provides support for acoustically optimized fan speed control, and monitoring of temperature, voltage, current and fan speed sensors that are provided in the chipset, CPU and other devices present on the motherboard. Communication with the QST firmware subsystem is documented and available through the official software development kit.
Protected Audio Video Path, enforces HDCP
Intel Anti-Theft Technology, discontinued in 2015
Serial over LAN
Intel Platform Trust Technology, a firmware-based Trusted Platform Module
Near Field Communication, a middleware for NFC readers and vendors to access NFC cards and provide secure element access, found in later MEI versions.
The intricacies of working with Intel ME

It should also be noted that the ME region requires special cleaning and subsequent initialisation.
For example, after replacing the platform hub on the motherboard.
Usually, this requires an SPI programmer.
There are known successful cases of this operation being performed.

Security vulnerabilities

Several weaknesses have been found in the ME. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug in its Management Technology. Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME. Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found. Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine, and Server Platform Services firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on November 20, 2017. Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods. In July 2018, another set of vulnerabilities was disclosed. In September 2018, yet another vulnerability was published.

Ring −3 rootkit

A ring −3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset; it does not work for the later Q45 chipset as Intel implemented additional protections. The exploit worked by remapping the normally protected memory region reserved for the ME. The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. For the vulnerable Q35 chipset, a keystroke logger ME-based rootkit was demonstrated by Patrick Stewin.

Zero-touch provisioning

Another security evaluation by Vassilios Ververis showed serious weaknesses in the GM45 chipset implementation. In particular, it criticized AMT for transmitting unencrypted passwords in the SMB provisioning mode when the IDE redirection and Serial over LAN features are used. It also found that the "zero touch" provisioning mode is still enabled even when the AMT appears to be disabled in BIOS. For about 60 euros, Ververis purchased from GoDaddy a certificate that is accepted by the ME firmware and allows remote "zero touch" provisioning of machines, which broadcast their HELLO packets to would-be configuration servers.

SA-00075 (a.k.a. Silent Bob is Silent)

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability. The vulnerability was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel. It affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard, Intel, Lenovo, and possibly others. Those researchers claimed that the bug affects systems made in 2010 or later. Other reports claimed the bug also affects systems made as long ago as 2008. The vulnerability was described as giving remote attackers:

PLATINUM

In June 2017, the PLATINUM cybercrime group became notable for exploiting the serial over LAN capabilities of AMT to perform data exfiltration of stolen documents. SOL is disabled by default and must be enabled to exploit this vulnerability.

SA-00086

Some months after the previous bugs, and subsequent warnings from the EFF, security firm Positive Technologies claimed to have developed a working exploit. On November 20, 2017, Intel confirmed that a number of serious flaws had been found in the Management Engine, Trusted Execution Engine, and Server Platform Services firmware, and released a "critical firmware update". Essentially, every Intel-based computer for the last several years, including most desktops and servers, were found to be vulnerable to having their security compromised, although all the potential routes of exploitation were not entirely known. It is not possible to patch the problems from the operating system, and a firmware update to the motherboard is required, which was anticipated to take quite some time for the many individual manufacturers to accomplish, if it ever would be for many systems.

Affected systems

Source:

Intel Atom – C3000 family
Intel Atom – Apollo Lake E3900 series
Intel Celeron – N and J series
Intel Core – 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation
Intel Pentium – Apollo Lake
Intel Xeon – E3-1200 v5 and v6 product family
Intel Xeon – Scalable family
Intel Xeon – W family
Mitigation

None of the known unofficial methods to disable the ME prevent exploitation of the vulnerability. A firmware update by the vendor is required. However, those who discovered the vulnerability note that firmware updates are not fully effective either, as an attacker with access to the ME firmware region can simply flash an old, vulnerable version and then exploit the bug.

SA-00112

In July 2018, Intel announced that three vulnerabilities had been discovered and that a patch for the CSME firmware would be required. Intel indicated there would be no patch for 3rd generation Core processors or earlier despite chips or their chipsets as far back as Intel Core 2 Duo vPro and Intel Centrino 2 vPro being affected. However, Intel AMT must be enabled and provisioned for the vulnerability to exist.