Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code.
Now Intel has done the same exercise and found 11 severe bugs that affect millions of computers and servers.
The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).
The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public. Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.
To combat the security threat of ME as a security threat, Google created NERF, or the Non-Extensible Reduced Firmware, which it uses to manage Chromebooks. NERF runs on a Linux kernel rather than MINIX and removes ME's web server and IP stack, key EUFI drivers, and neuters the ability for ME and EUFI to self-reflash the firmware.
The bugs affect systems using Intel's 6th, 7th, and 8th Generation Core CPUs, a range of Xeon processors, as well the Apollo Lab Atom E3900 series, Apollo Lake Pentium, and Celeron N and J series chips.
Intel says the flaws would allow an attacker to "Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity".
The attacker could also load and execute arbitrary code that would be invisible to the user and operating system.
To help users address the current batch of bugs, Intel has released a detection tool for Windows and Linux systems, which displays a risk assessment of the system. Intel says the bugs may affect PCs, servers, and IoT platforms.
The Department of Homeland Security advised computer users to review the warning from Intel. It also urged them to contact computer makers to obtain software updates and advice on strategies for mitigating the threat.