Intel has issued patches for a large range of its processors to fix a security vulnerability that affects millions of PCs, servers and internet of things devices.
The most serious flaw involves multiple buffer overflows in the operating system kernel for the Intel Management Engine (ME) firmware, which allow attackers to run arbitrary code on vulnerable systems.
Intel's Management Engine is used for local and remote system management, which can be performed out of band even when the computer is turned off.
It runs a version of the UNIX-like MINIX operating system and is a separate processor that is embedded in the motherboard chipset on computers with Intel central processing units. It was introduced in 2005.
ME has full access to the computer's system memory as well as network adapters. However, the operating system cannot access ME, and researchers noted that it was almost impossible to disable the feature to protect against possible exploitation of vulnerabilities.
Increasing the risk, ME runs all the time as long as the computer is plugged in, even when other parts of the system are powered down.
"Based on the items identified through the comprehensive security review, an attacker could gain unauthorised access to the platform, Intel ME feature, and third party secrets protected by the ME, Server Platform Service (SPS), or Trusted Execution Engine (TXE)," the chipmaker said.
Beyond running unauthorised code on computers, Intel has identified attack scenarios that could crash systems or make them unstable.
Attackers can also "impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity," the company said.
Apart from ME versions 11.0.0 to 11.7.0, TXE version 3.0 and SPS version 4.0 are vulnerable, leaving millions of computers with the feature at risk.
The company listed the following as containing the vulnerable firmware:
- 6th, 7th, and 8th generation Intel Core processors
- Xeon E3-1200 v5 and v6
- Xeon Scalable range
- Xeon Processor W family
- Atom C3000 processor family
- Apollo Lake Atom E3900 series
- Apollo Lake Pentium processors
- Celeron N and J series processors
Intel has released a software tool for Microsoft Windows and Linux admins to test systems for the ME vulnerability.
The company also advised users to check for firmware updates from their system integrators and vendors.