Intel management engine - is macOS vulnerable?

macos mac security processor

Solution 1:

First: it's not macOS itself which is vulnerable in the first place but the firmware and related hardware is affected. In a second step your system may be attacked though.

Only some of the impacted processors are installed in Macs:

  • 6th and 7th generation Intel® Core™ Processor Family

I checked some random firmware files with the tool MEAnalyzer and found at least some containing Intel Management Engine code:

This is the MacBook Pro Retina Mid 2017:

File:     MBP143_0167_B00.fd (3/3)

Family:   CSE ME
Version:  11.6.14.1241
Release:  Production
Type:     Region, Extracted
SKU:      Slim H
Rev:      D0
SVN:      1
VCN:      173
LBG:      No
PV:       Yes
Date:     2017-03-08
FIT Ver:  11.6.14.1241
FIT SKU:  PCH-H No Emulation SKL
Size:     0x124000
Platform: SPT/KBP
Latest:   Yes

An ME entry in Family denotes Management Engine code.

In an EFIFirmware2015Update.pkg 2 of 21 firmware files contain Intel Management Engine code which may be affected by CVE-2017-5705|5708|5711|5712.

In the macOS 10.13.1 update.pkg 21 of 46 firmware files contain Intel Management Engine code which may be affected by CVE-2017-5705|5708|5711|5712.

One source and a linked source therein state that "Intel ME is baked in every CPU but according to The Register (0) the AMT part is not running on Apple hardware." AMT is also related to an older vulnerability and the Register link refers to this. Then the firmware may not be affected by CVE-2017-5711|5712 because AMT isn't present on Macs.

But some of the recent vulnerabilities don't require AMT.

In my opinion it's unclear whether Macs are affected by the Intel Q3’17 ME 11.x vulnerability - probably only Apple can tell. At least Macs are not affected by the SPS 4.0 and the TXE 3.0 bugs!

Solution 2:

Screen shot if the intel detection tool run in boot camp on a Q32017 MacBook Pro Intel detection tool: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Bad news guys

Screen shot if the intel detection tool run in boot camp on a Q32017 MacBook Pro

Solution 3:

I can confirm, with info directly from my local Apple Store, that Intel Macs do indeed ship with Intel ME hardware, and that Apple does not modify any Intel hardware. Though at this point I can't confirm or deny that macs run Intel firmware or not for ME, the other answers to this question seem to suggest that they do run Intel firmware.

I dare say that Apple machines are all vulnerable, and are affected in a much more dramatic way than other machines that already have patches available for download at the time of this post. The reason is that many many macs seem have outdated Intel firmware, assuming they have it and the python scripts other people are using to check the version of their firmware's aren't erroneous, or alluding to custom Apple written firmware for the ME hardware that is present in the machine. Klanomath, your machine seems to be fairly screwed with an old as 9.5.3 version of ME firmware. That 11.6.5 firmware on another machine is also clearly vulnurable as well, as per the intel audit, as seen here:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

You need to update to 11.8.0 or up. In particular, this hack is so troubling because it "allow[s] [an] attacker with local access to the system to execute arbitrary code. Multiple privilege escalations ... allow unauthorized process to access privileged content via unspecified vector. ... allow attacker with local access to the system to execute arbitrary code with AMT execution privilege. ... allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege."

"Execute arbitrary code, privilege escalation, remote access to system and execute arbitrary code." This is insane! Especially because Intel ME allows for remote access even when a system is powered off, though that might only be with AMT software, which apparently Apple does not have.

Solution 4:

Excerpt from INTEL-SA-00086: "The attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory."

Unless your Apple product is operating in a public lab where nefarious people may gain physical access to the device, you probably don't have much to worry about. The security advisory doesn't mention it, but I read elsewhere on a PC/Windows forum the attack comes to Flash Descriptor firmware via a USB port (flash drive). There is already USB-flash technology to hijack an Apple computer using a limited Linux kernel on a flash drive. For most people this won't be much of an issue.

Related

What is the "studentd" process?
Why am I having this problem importing photos from iPhone to iPhoto?
Can Touch ID unlock a personal SSH key?
Concisely starting Mac OS apps from the command line
Is it possible to run Nautilus on OS X?
How can I disable the "no backup in x days" from TimeMachine?
Does a force restart in iOS do anything different from a normal restart?
How to auto-accept cookies notifications as mandated by EU law?
How to know whether Mac has SSD or HDD installed
No input field for Apple ID Verification Code
Dismiss MacOS Big Sur notifications with keyboard
Can't write to /usr/lib