That's Intel AMT which lives on top of Intel ME. The Management Engine is a completely separate CPU+RAM+ROM that lives outside of the host OS control and manages hardware initialization on boot, power management and some other shady things. It is contained in every Intel system since Core 2 Duo.

It has been through many iterations. In the past it ran on the ARC architecture and since Skylake it's running on 3-core Quark-like x86 hardware. The operating system was based on some embedded Java crap in the past, but since the x86 switch it's a derivative of MINIX.

This specific vulnerability allows arbitrary code execution that can be initiated from the host OS. Since ME is running above anything else that is very, very bad. Among other things ME has DMA capability to the entirety of system RAM, works when the system is supposedly powered off and is able to access the built-in NIC without OS control. No system firewall can stop it (this is mainly for AMT to work properly, but since it's a black box we can't know it's not doing anything shady).

The tinfoil hats were right all along Just wait until there is an unpatchable hardware-level exploit for it. The recent bugs in it have brought even more scrutiny to it so I can bet it's only a matter of time

Oh and some fun facts as well about ME/AMT:

The NSA has a special version of Intel ME in their computers that is deactivating itself after the initial hardware initialization. For us mortals attempting to remove ME completely results in the computer restarting after 30 minutes. The me_cleaner project is able to remove some of the more insidious components, but the most recent vulnerability makes it easy to reintroduce them.

The last AMT vulnerability was affecting every version since the C2D era and the error allowed anyone to enter the AMT management website (yes, every computer with AMT has a built-in web server) as admin by simply providing an empty string as the password.

Intel ME updates are distributed with BIOS updates. They can only be flashed to a newer version, downgrades will fail to apply. For the null-string bug it took Dell a few months to release updates for every generation of their products. They were not well tested as I've seen personally a BIOS update for multiple OptiPlex generations do the wrong thing. It updated the BIOS/UEFI part while the Intel ME failed to apply. Running the update again made it seem like the BIOS/UEFI update is applied (which it was, but the updater failed to compare the Intel ME versions). So the computer was left in a false-security state - the BIOS versions was correct ("you are patched if running x.y.z BIOS") while in reality the Intel ME firmware was still vulnerable. The correct procedure is to flash the BIOS twice, which requires overriding the updater parameters if running in unattended (command line) mode...

That's a Haswell, which is not vulnerable to this particular bug.

The affected chipsets support the following CPUs:

• 6th, 7th, and 8th generation Intel® Core™ Processor Family:
• Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon® Processor W Family
• Intel Atom® C3000 Processor Family
• Apollo Lake Intel Atom® Processor E3900 series
• Apollo Lake Intel® Pentium® Processors
• Intel® Celeron® N and J series Processors

ME is just the infrastructure they use to do various things the businness customers ask them:
-hide better their proprietary shit
-provide "secure" DRM services for third parties
-provide AMT
-do whatever the fuck else a businness customer asks them, as a ME module.

Nope, it can do everything. It's literally a little mobile with full functionality inside a cpu. It has it's own networking stack, full OS and all. They can literally run loops around any aspect of your computer with that thing and you can do nothing to prevent it.

I think control freaks (3 letter agencies/governments) realized that the easiest way to control the wide PC market is not through software or zero-day vulnerabilities but simply to ensure the main component makers put up doors for them. I don't think there's another answer for the existence of these, especially given how secretive and no-commenty both companies are about them.

My point is that it is inferior to ME, because it is.
Its OS lacks features offered by ME, and in many cases it requires shit to be run inside Windows too.

Then of course it is still a hardware backdoor, so it's not cool, but ME is so much "better".

I'm sad that none has set up a me_cleaner for the PSP though. Given the current situation the safer systems are Intel ones as I can neuter them more or less safely.

I already posted what is ME/PSP for. https://www.phoronix.com/forums/foru...217#post991217

And I laugh in the face of your statement that three letter agencies need a backdoor at this level. They can pwn Windows easily anyway, what's the point of going deeper?

*bridgman scratches head - Ryzen CPUs don't even have a network interface, do they ?

So they can pwn Linux, *BSDs and pretty much everything they could ever want? All birds with one stone