Security Remote security exploit in all 2008+ Intel platforms

I wonder what should be done on dedicated servers which have Xeon processors. They have vPro technology. Turn off the Virtualization Technology?

 

More info:

Red alert! Intel patches remote execution hole that's been hidden in its chips since 2008

 

How easy is to someone to exploit this vulnerability? Like, any script kid will start to exploit random computers, or is not that easy?

 

@Revenge

At the moment there is not a problem for someone to hack you.

Even good hackers now start researching for it to create a POC ....

But it will be great to have asap some basic info:

Active Management Technology
AMT is intended to provide IT departments with a means to manage client systems. When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console. Access to AMT requires a password - the implication of this vulnerability is that that password can be bypassed.

Keep in mind that you can't just bock that ports and you will be fine as that packets are invisible to the system !

You will need a firewall before the packets land to your machine so you can block at that level the ports: 16992 and 16993

1)Is our chips vulnerable at all or not (starting point)

Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.

Remote management
AMT has two types of remote console: emulated serial and full graphical. The emulated serial console requires only that the operating system run a console on that serial port, while the graphical environment requires drivers on the OS side. However, an attacker who enables emulated serial support may be able to use that to configure grub to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.

Don't thing that at least the most of us are in that scenario .....

How bad is this
That depends. Unless you've explicitly enabled AMT at any point, you're probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don't have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though…
How do I know if I have it enabled?
Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:

1) A supported CPU
2) A supported chipset
3) Supported network hardware
4) The ME firmware to contain the AMT firmware

Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.

What do we not know?
We have zero information about the vulnerability, other than that it allows unauthenticated access to AMT. One big thing that's not clear at the moment is whether this affects all AMT setups, setups that are in Small Business Mode, or setups that are in Enterprise Mode. If the latter, the impact on individual end-users will be basically zero - Enterprise Mode involves a bunch of effort to configure and nobody's doing that for their home systems. If it affects all systems, or just systems in Small Business Mode, things are likely to be worse.

!!!!!!Booting from remote devices with AMT actually disables secure boot in any bios that properly supports AMT.!!!!!!!

 

At the moment i think there is no reason for panic as the only available exploit is that ONLY if you met the criteria then the attacker can bypass the AMT Administrator password.

That's it!

After that theoretically he can have access to ram and may be able to run arbitrary code and try to inject some backdoor but at the moment it seems far away for it.

We must collect all info here and some easy ways to check our systems if they are vulnerable or not and possible fixes so all users can check

 

Latest news from source:

The discovered critical vulnerability in the remote management features on computers shipped with Intel processors for past seven years (and not decade), which could allow attackers to take control of the computers remotely, affecting all Intel systems, including PC, laptops, and servers, with AMT feature enabled.

As reported earlier, this critical flaw (CVE-2017-5689) is not a remote code execution, confirmed that it's a logical vulnerability that also gives remote attackers an opportunity to exploit this bug using additional tactics.

According to the Intel advisory, the vulnerability could be exploited in two ways:

• An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
• An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.

These insecure management features have been made available in various, but not all, Intel chipsets from almost past seven years, starting from vPro-capable 5-series chipsets.

Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.

Affected Firmware Versions & How to Patch

The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel's AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.

How To Find Intel® vPro™ Technology Based PCs

Download INTEL-SA-00075 Detection Guide

Download INTEL-SA-00075 Mitigation Guide

 

Well, my Elitebook comes with AMT enabled.

Activado = Enabled

 

Then you may like this:

https://mattermedia.com/blog/disabling-the-intel-management-engine/

 

Check physical host for vuln. CVE-2017-5689

Code:

lspci | grep -q -e MEI -e HECI && echo "Check your firmware for Intel AMT vulnerability"

 

A small tool to disable Intel AMT on Windows. Runs on both x86 and x64 Windows operating systems:

GitHub - bartblaze/Disable-Intel-AMT: Tool to disable Intel AMT on Windows

 

The Intel Management Engine has always seemed to me to be a stink of security possibilities, it's a powerful tooll that essentialy proves you don't even own your hardware anymore (never mind the software)

That https://mattermedia.com/blog/disabling-intel-amt/ is a great link see also Intel & ME, and why we should get rid of ME — Free Software Foundation — working together for free software

 

Mine:

What is the best way to protect against this without new drivers from HP?