Want to subscribe to topics you're interested in?
Become a Member

Security Remote security exploit in all 2008+ Intel platforms

Discussion in 'All Internet & Web Performance News' started by eva2000, May 2, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    12:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yikes Remote security exploit in all 2008+ Intel platforms - SemiAccurate

     
  2. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    12:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    Intel® Product Security Center

     
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    10:48 PM
    1.13.x
    MariaDB 10.1.x
    I wonder what should be done on dedicated servers which have Xeon processors. They have vPro technology. Turn off the Virtualization Technology?
     
  4. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
  5. Revenge

    Revenge Active Member

    288
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    3:48 AM
    1.9.x
    10.1.x
    How easy is to someone to exploit this vulnerability? Like, any script kid will start to exploit random computers, or is not that easy?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    12:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    still reading up on this myself

    thanks
     
  7. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    @Revenge

    At the moment there is not a problem for someone to hack you.

    Even good hackers now start researching for it to create a POC ....

    But it will be great to have asap some basic info:

    Active Management Technology
    AMT is intended to provide IT departments with a means to manage client systems. When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console. Access to AMT requires a password - the implication of this vulnerability is that that password can be bypassed.

    Keep in mind that you can't just bock that ports and you will be fine as that packets are invisible to the system !

    You will need a firewall before the packets land to your machine so you can block at that level the ports: 16992 and 16993

    1)Is our chips vulnerable at all or not (starting point)

    Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.

    Remote management
    AMT has two types of remote console: emulated serial and full graphical. The emulated serial console requires only that the operating system run a console on that serial port, while the graphical environment requires drivers on the OS side. However, an attacker who enables emulated serial support may be able to use that to configure grub to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.

    Don't thing that at least the most of us are in that scenario .....

    How bad is this
    That depends. Unless you've explicitly enabled AMT at any point, you're probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don't have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though…
    How do I know if I have it enabled?
    Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:

    1) A supported CPU
    2) A supported chipset
    3) Supported network hardware
    4) The ME firmware to contain the AMT firmware

    Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.

    What do we not know?

    We have zero information about the vulnerability, other than that it allows unauthenticated access to AMT. One big thing that's not clear at the moment is whether this affects all AMT setups, setups that are in Small Business Mode, or setups that are in Enterprise Mode. If the latter, the impact on individual end-users will be basically zero - Enterprise Mode involves a bunch of effort to configure and nobody's doing that for their home systems. If it affects all systems, or just systems in Small Business Mode, things are likely to be worse.

    !!!!!!Booting from remote devices with AMT actually disables secure boot in any bios that properly supports AMT.!!!!!!!
     
    Last edited: May 2, 2017
    • Informative Informative x 1
  8. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    At the moment i think there is no reason for panic as the only available exploit is that ONLY if you met the criteria then the attacker can bypass the AMT Administrator password.

    That's it!

    After that theoretically he can have access to ram and may be able to run arbitrary code and try to inject some backdoor but at the moment it seems far away for it.

    We must collect all info here and some easy ways to check our systems if they are vulnerable or not and possible fixes so all users can check :)
     
    • Like Like x 1
  9. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Latest news from source:

    The discovered critical vulnerability in the remote management features on computers shipped with Intel processors for past seven years (and not decade), which could allow attackers to take control of the computers remotely, affecting all Intel systems, including PC, laptops, and servers, with AMT feature enabled.

    As reported earlier, this critical flaw (CVE-2017-5689) is not a remote code execution, confirmed that it's a logical vulnerability that also gives remote attackers an opportunity to exploit this bug using additional tactics.

    According to the Intel advisory, the vulnerability could be exploited in two ways:

    • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
    • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.
    These insecure management features have been made available in various, but not all, Intel chipsets from almost past seven years, starting from vPro-capable 5-series chipsets.

    Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.

    Affected Firmware Versions & How to Patch

    The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel's AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.

    How To Find Intel® vPro™ Technology Based PCs

    Download INTEL-SA-00075 Detection Guide

    Download INTEL-SA-00075 Mitigation Guide
     
  10. Revenge

    Revenge Active Member

    288
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    3:48 AM
    1.9.x
    10.1.x
    Well, my Elitebook comes with AMT enabled.

    Activado = Enabled

    [​IMG]
     
  11. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    • Informative Informative x 2
  12. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    12:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    Someone mentioned that this is a good excuse to switch over to a new AMD Ryzen 7 based system :D
     
  13. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Check physical host for vuln. CVE-2017-5689

    Code:
    lspci | grep -q -e MEI -e HECI && echo "Check your firmware for Intel AMT vulnerability"
     
  14. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:48 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    • Informative Informative x 1
  15. apidevlab

    apidevlab Member

    88
    30
    18
    Mar 22, 2016
    /dev/null
    Ratings:
    +54
    Local Time:
    3:48 AM
    1.11.1
    5.2.14-122
    The Intel Management Engine has always seemed to me to be a stink of security possibilities, it's a powerful tooll that essentialy proves you don't even own your hardware anymore (never mind the software)

    That https://mattermedia.com/blog/disabling-intel-amt/ is a great link see also Intel & ME, and why we should get rid of ME — Free Software Foundation — working together for free software
     
    • Informative Informative x 1
  16. eva2000

    eva2000 Administrator Staff Member

    30,170
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    12:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    More reading The hijacking flaw that lurked in Intel chips is worse than anyone thought

    looks like i'm all clear at least

    upload_2017-5-10_20-35-40.png
     
    Last edited: May 10, 2017
  17. Revenge

    Revenge Active Member

    288
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    3:48 AM
    1.9.x
    10.1.x
    Mine:
    What is the best way to protect against this without new drivers from HP?