The Intel Management Engine (ME) is an extremely highly privileged subsystem essentially all Intel processors manufactured after 2008. Its stated purpose is to enable out-of-band management of computers running Intel processors. It is highly controversial for a number of reasons: mainly its functional equivalence to a backdoor, its ubiquitousness due to the popularity of x86, its numerous critical vulnerabilities that have been exploited in the wild, and the great difficulty in disabling it.
Here are some true statements about the ME:
memcpy(3)[6]Since Skylake, the ME is based on the Quark microcontroller and, as such, is a 32-bit x86 machine in its own right. It runs the Minix 3 operating system. Previous versions were based on various versions of the Argonaut RISC Core (ARC) processor1. These run the ARCompact ISA in a mixed 32- and 16-bit mode. These older versions of the ME ran the ThreadX RTOS. The firmware for the ME resides in BIOS flash memory[6][45][46].
Modern versions have the ME reside in the Platform Controller Hub (PCH) of the chipset/SoC. The PCH essentially acts as a bus between the peripheral devices and the main CPU, allowing the ME to possess total read and write access to communications along it.
In May 2017, a researcher named Maksim Malyutin2 of Embedi discovered a critical vulnerability in the ME allowing for remote privilege escalation[38]. It was assigned CVE-2017-5689 by NIST and was disclosed by Intel via INTEL-SA-00075[36][30][31]. The vulnerability essentially boils down to a lack of access control on the part of the ME. This allows a remote, unauthenticated attacker to gain total and arbitrary control of the ME via the Active Management Technology (AMT) system (which runs on the ME) and, due to the aforementioned capabilities of the ME, the entire computer system. Malyutin published a PoC for the vulnerability[52] which is as simple as a single HTTP authentication request.
In December 2017, at BlackHat Europe, researchers from Positive Technologies demonstrated a working PoC for another vulnerability[4]. This prompted Intel to issue another security advisory, INTEL-SA-00086, addressing this.
In July 2018, Intel published yet another security advisory, INTEL-SA-00112, in order to address additional vulnerabilities that had been discovered in the ME[20][42][43][44]. This advisory covered three CVEs:
CVE-2018-3628 and CVE-2018-3629 are both buffer overflows in the ME's firmware (specifically versions 3-11); in the embedded HTTP server and an event handler, respectively. CVE-2018-3632 is a memory corruption (via an out of bounds write).
Invisible Things Labs demonstrated a persistent rootkit that exploited the ARC chip itself (regardless of whether or not AMT is enabled). This resulted in the rootkit running at the same privilege level (read: total and complete) as the ME: dubbed "ring -3"[24].
The PLATINUM cybercrime group successfully exfiltrated sensitive documents from targeted computer systems by way of successful exploit of the ME. It's worth noting that SOL capabilities must be explicitly enabled on the device via AMT rather than by default[39].
There are four levels of operation for the Management Engine[17]:
The me_cleaner project is the prevailing open source tool for ME mitigation[48] and implements many of the methods outlined below[49].
In August 2017, Dmitry Sklyarov3 of Positive Technologies discovered an undocumented mode of the ME called High Assurance Platform (HAP) mode[51]. This is intended to comply with a NSA programme of the same name; however, is inadvertently available on regular retail devices. Enabling the HAP bit essentially cleanly disables the ME.
diff --git a/me_cleaner.py b/me_cleaner.py
index 7245fea..95d3b25 100755
--- a/me_cleaner.py
+++ b/me_cleaner.py
@@ -501,6 +501,7 @@ if __name__ == "__main__":
flmap0, flmap1 = unpack("<II", f.read(8))
frba = flmap0 >> 12 & 0xff0
fmba = (flmap1 & 0xff) << 4
+ fpsba = flmap1 >> 12 & 0xff0
f.seek(frba)
flreg = unpack("<III", f.read(12))
@@ -590,7 +591,7 @@ if __name__ == "__main__":
mef = RegionFile(f, me_start, me_end)
- if args.descriptor or args.extract_descriptor:
+ if me_start > 0:
fdf = RegionFile(f, fd_start, fd_end)
print("Removing extra partitions...")
@@ -651,6 +652,21 @@ if __name__ == "__main__":
print("Truncating file at {:#x}...".format(end_addr))
f.truncate(end_addr)
+ if me_start > 0:
+ if me11:
+ print("Setting the HAP bit in PCHSTRP0 to disable Intel ME...")
+ fdf.seek(fpsba)
+ pchstrp0 = unpack("<I", fdf.read(4))[0]
+ pchstrp0 |= (1 << 16)
+ fdf.write_to(fpsba, pack("<I", pchstrp0))
+ else:
+ print("Setting the AltMeDisable bit in PCHSTRP10 to disable "
+ "Intel ME...")
+ fdf.seek(fpsba + 0x28)
+ pchstrp10 = unpack("<I", fdf.read(4))[0]
+ pchstrp10 |= (1 << 7)
+ fdf.write_to(fpsba + 0x28, pack("<I", pchstrp10))
+
if args.descriptor:
print("Removing ME/TXE R/W access to the other flash regions...")
fdf.write_to(fmba + 0x4, pack("<I", 0x04040000))
-- Changes to me_cleaner enabling use of the HAP bit for ME mitigation[49]
This is the original method used by me_cleaner and essentially just deletes all noncritical firmware modules from the BIOS flash memory. Reductions of up to 73% of the total code can be achieved and still result in a bootable system.
Igor Skochinsky of Hex-Rays has published a great deal of original research material on the internal workings of the ME. Much of this work has been presented at various security conferences such as Breakpoint[45]4 and REcon[52].
Maxim Goryachy, Mark Ermolov, and Dmitry Sklyarov of Positive Technologies have collectively published much high-quality research on the internals of the ME.
Joanna Rutkowska5, Alexander Tereshkin6, and Rafal Wojtczuk7 of Invisible Things Lab published the first description of how a persistent rootkit could be installed on the ME enabling it to operate at the so-called ring -3 privilege level.
Vassilios Ververis completed his PhD thesis at the KTH Royal Institute of Technology on Intel's Active Management Technology (AMT).
[1] A. S. Tanenbaum, An Open Letter to Intel, Andrew S. Tanenbaum's Homepage, accessed 13 August 2025. [Online]. Available: https://www.cs.vu.nl/~ast/intel
[2] Intel, Frequently Asked Questions for the Intel® Management Engine..., Intel support webpage, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/support/articles/000005974/software/chipset-software.html
[3] Electronic Frontier Foundation, Intel’s Management Engine is a security hazard, and users need a way to disable it, EFF Deeplinks blog, 5 May 2017, accessed 13 August 2025. [Online]. Available: https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
[4] Black Hat EU, “How to hack a turned-off computer—or running unsigned code in Intel Management Engine,” Black Hat EU-17 Briefing schedule entry, accessed 13 August 2025. [Online]. Available: https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
[5] C. Hoffman, Intel Management Engine, Explained: The Tiny Computer Inside Your CPU, How-To-Geek, 15 May 2017, accessed 13 August 2025. [Online]. Available: https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu
[6] “Intel Management Engine,” io.netgarage.org (archived blog resource), accessed 13 August 2025. [Online]. Available: http://io.netgarage.org/me
[7] Positive Technologies Blog (via PT Security), Disabling Intel ME, PT Security blog (archived), 28 August 2017, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20170828150536/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
[8] “Libreboot T480,” Minifree, product webpage, accessed 13 August 2025. [Online]. Available: https://minifree.org/product/libreboot-t480.html
[9] GitHub, coreboot/util/intelmetool, GitHub repository directory listing, accessed 13 August 2025. [Online]. Available: https://github.com/coreboot/coreboot/tree/main/util/intelmetool
[10] Intel, I210 Datasheet v3.7, PDF datasheet (DS-333016, Rev. 3.7), accessed 13 August 2025. [Online]. Available: https://cdrdv2-public.intel.com/333016/333016%20-%20I210_Datasheet_v_3_7.pdf
[11] Intel, Ethernet-X540 Brief, PDF product brief, accessed 13 August 2025. [Online]. Available: https://cdrdv2-public.intel.com/326917/ethernet-x540-brief.pdf
[12] Positive Technologies, Intel ME: The Way of the Static Analysis, presented at TROOPERS17, Heidelberg, Germany, 2017, accessed 13 August 2025. [Online]. Available: https://troopers.de/downloads/troopers17/TR17_ME11_Static.pdf
[13] The Linux Kernel Archives, Documentation/misc-devices/mei/mei.txt, kernel documentation text file, accessed 13 August 2025. [Online]. Available: https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
[14] The Linux Kernel Archives, Driver-API/mei/mei.html, HTML documentation, accessed 13 August 2025. [Online]. Available: https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
[15] C. Demerjian, “Remote-security exploit on 2008 Intel platforms,” SemiAccurate, 1 May 2017, accessed 13 August 2025. [Online]. Available: https://www.semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms
[16] The Register, “Intel AMT/ME vulnerability,” The Register, 1 May 2017, accessed 13 August 2025. [Online]. Available: https://www.theregister.com/2017/05/01/intel_amt_me_vulnerability
[17] T. François, Deep dive into Intel ME disablement, Purism blog, accessed 13 August 2025. [Online]. Available: https://puri.sm/posts/deep-dive-into-intel-me-disablement
[18] Purism, Neutralizing Intel Management Engine on Librem laptops, Purism blog, accessed 13 August 2025. [Online]. Available: https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops
[19] Intel, Security Advisory: Intel-SA-00125, Intel Security Center webpage, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html
[20] Intel, Security Advisory: Intel-SA-00112, Intel Security Center webpage, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html
[21] The Register, “Intel Management Engine pwned by buffer overflow,” The Register, 6 December 2017, accessed 13 August 2025. [Online]. Available: https://www.theregister.com/2017/12/06/intel_management_engine_pwned_by_buffer_overflow
[22] ExtremeTech, Intel patches major flaws in Intel Management Engine, 2017, accessed 13 August 2025. [Online]. Available: https://www.extremetech.com/computing/259426-intel-patches-major-flaws-intel-management-engine
[23] The Register, “Intel flags firmware flaws,” The Register, 20 November 2017, accessed 13 August 2025. [Online]. Available: https://www.theregister.com/2017/11/20/intel_flags_firmware_flaws
[24] Invisible Things Lab, Press: ITL Press 2009-03, PDF, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20160412045958/http://invisiblethingslab.com/press/itl-press-2009-03.pdf
[25] J. Rutkowska, Quest To The Core (public), PDF presentation, accessed 13 August 2025. [Online]. Available: http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20%28public%29.pdf
[26] P. Stewin, Evaluating Ring-3 Rootkits, PDF slide deck, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20160304033404/http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf
[27] P. Stewin, Dedicated HW Malware, PDF slides, 44con 2013, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20160303222145/http://stewin.org/slides/44con_2013-dedicated_hw_malware-stewin_bystrov.pdf
[28] V. Ververis, Degree Project Report, KTH, accessed 13 August 2025. [Online]. Available: https://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf
[29] National Vulnerability Database, CVE-2017-5689 Detail, NIST NVD webpage, accessed 13 August 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/cve-2017-5689
[30] Intel, Security Advisory: Intel-SA-00075, Intel Security Center webpage, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html
[31] Darknet.org.uk, Intel Hidden Management Engine x86 Security Risk, darknet.org.uk article, 1 June 2016, accessed 13 August 2025. [Online]. Available: https://www.darknet.org.uk/2016/06/intel-hidden-management-engine-x86-security-risk
[32] mjg59, blog post, mjg59.dreamwidth.org/48429.html, accessed 13 August 2025. [Online]. Available: https://mjg59.dreamwidth.org/48429.html
[33] D. Goodin, The hijacking flaw that lurked in Intel chips is worse than anyone thought, Ars Technica, 2 May 2017, accessed 13 August 2025. [Online]. Available: https://arstechnica.com/information-technology/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought
[34] Lenovo, Product Security Advisory LEN-14963, Lenovo support page, accessed 13 August 2025. [Online]. Available: https://support.lenovo.com/us/en/product_security/LEN-14963
[35] SSH.com via Internet Archive, Intel AMT vulnerability, archived vulnerability advisory, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20180305001456/https://www.ssh.com/vulnerability/intel-amt
[36] Embedi (via archive), Mythbusters: CVE-2017-5689, archived post, accessed 13 August 2025. [Online]. Available: https://web.archive.org/web/20180817215423/https://embedi.com/news/mythbusters-cve-2017-5689
[37] C. Cimpanu, Malware uses obscure Intel CPU feature to steal data and avoid firewalls, BleepingComputer, 8 June 2017, accessed 13 August 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls
[38] The Register, “Vxers exploit Intel’s AMT for ‘malware-over-LAN’,” The Register, 8 June 2017, accessed 13 August 2025. [Online]. Available: https://www.theregister.com/2017/06/08/vxers_exploit_intels_amt_for_malwareoverlan
[39] Intel, Support Article 000025619 – Software, Intel support page, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
[40] National Vulnerability Database, CVE-2018-3628 Detail, NIST NVD webpage, accessed 13 August 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-3628
[41] National Vulnerability Database, CVE-2018-3629 Detail, NIST NVD webpage, accessed 13 August 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-3629
[42] National Vulnerability Database, CVE-2018-3632 Detail, NIST NVD webpage, accessed 13 August 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-3632
[43] Intel, Security Article 000029388 – Chipset Software, Intel support article, accessed 13 August 2025. [Online]. Available: https://www.intel.com/content/www/us/en/support/articles/000029388/software/chipset-software.html
[44] J. Wallen, Is the Intel Management Engine a Backdoor?, TechRepublic, 1 July 2016, accessed 13 August 2025. [Online]. Available: https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor
[45] I. Skochinsky, Rootkit in your laptop: Hidden code in your chipset and how to discover what exactly it does, presented at Ruxcon Breakpoint, Melbourne, Australia, 2014, accessed 13 August 2025. [Online]. Available: https://2012.ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%202012%20Skochinsky.pdf
[46] Wikichip, Intel/management_engine, Wikichip wiki entry, accessed 13 August 2025. [Online]. Available: https://en.wikichip.org/wiki/intel/management_engine
[47] Wikichip, Intel/quark, Wikichip wiki entry, accessed 13 August 2025. [Online]. Available: https://en.wikichip.org/wiki/intel/quark
[48] GitHub, corna/me_cleaner, GitHub repository, accessed 13 August 2025. [Online]. Available: https://github.com/corna/me_cleaner
[49] GitHub, corna/me_cleaner@ced3b46…, specific commit view, accessed 13 August 2025. [Online]. Available: https://github.com/corna/me_cleaner/commit/ced3b46ba2ccd74602b892f9594763ef34671652
[50] GitHub, embedi/amt_auth_bypass_poc, GitHub repository, accessed 13 August 2025. [Online]. Available: https://github.com/embedi/amt_auth_bypass_poc
[51] C. Cimpanu, Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA, BleepingComputer, 28 August 2017, accessed 14 August 2025. [Online]. Available: https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa
[52] I. Skochinsky, Intel ME Secrets: Hidden code in your chipset and how to discover what exactly it does, presented at Recon, Montreal, Canada, 2014, accessed 15 August 2025. [Online]. Available: https://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf
[53] Author Unknown, ME blob format, archived webpage, accessed 15 August 2025. [Online]. Available: https://web.archive.org/web/20200225121609/http://me.bios.io/ME_blob_format
[54] GitHub, How does it work?, me_cleaner wiki page, accessed 15 August 2025. [Online]. Available: https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
The history of this line of processors is rather interesting. They were initially developed by a game development studio called Argonaut Games who were trying to improve the performance of the Super NES via graphics coprocessors in the late 1980s. 2: Not the Belarusian ice hockey player 3: Some fun trivia: the US government imprisoned Sklyarov in 2001 for breaking some e-readers! The state claimed that both he and his employed ElcomSoft had violated the DMCA in United States v. Elcom Ltd. 4: Australia mentioned! Breakpoint was a conference run by Ruxcon, an Australian hacker group based in Melbourne. 5: Joanna founded both ITL and Qubes OS! She now appears to be working on Golem Network. 6: Alex now seems to work at Nvidia 7: Rafal now seems to work at Apple