Slashdot Mirror
Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk)
Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.
According to them, they've been trying to get Intel to patch this for YEARS, and apparently they never bothered to practice responsible public disclosure in order to force intels hand.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It doesn't affect consumer grade PCs, only business grade PCs with Intel's remote management enabled.
Some help is here
http://mjg59.dreamwidth.org/48...
That was in one of the articles
If your system doesn't support AMT (which, if you're not running a "business-class" machine, it almost definitely does not because that's a special feature you need to pay extra to get), then it doesn't affect you.
What's the big deal? Just turn it off in the BIOS.
Oh nothing... just forgotten computer within a computer listening on wireless and wired Ethernet interfaces that is never updated and has total access to everything. Nothing to be concerned about.
Not like anyone outside the LAN can break into your computer using AMT unless you have a really messed up router/firewall configuration.
Good point. I mean all consumer routers are secure and can't be hacked with ease to perpetrate such a hack.
AMT is NOT defective by design because even when the system is working properly as designed I have to buy a cert from a valid certificate authority and broadcast DHCP on your LAN with domain corresponding to my cert to own you. This makes AMT secure.
And I believe most laptops have it off by default, which is good because having it on while joining public wireless is a really bad idea.
The first I ever heard about this AMT shit I was pulling my hair out trying to figure out how the F*** ports were open on my laptop computer that don't even show up in the F**** stack. When the ports remained open even after booting a Linux live distro I was even more pissed off... the last straw was when the ports remained open when the computer was turned off....F***** O..F..F...
Oh and by the way you can't disable AMT... there is no option to do that in the bios anywhere and believe me I've looked... the best you can do is disable the MMU which is used to virtualize hardware access so the NICs can be shared by both computers at the same time.
How is Microsoft going to patch something happening in the hardware underneath their OS, without the OS knowing anything about it? In case you haven't played with Intel AMT or vPro, it has some pretty amazing capabilities for remote management, including being able to persist remote control sessions across OS reboots, including being able to enter BIOS / uEFI setup and make changes, as well as mount an ISO image from a network volume as a 'physical' disk and boot off of it.
How could an OS that isn't even running patch that?
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Please shut the fuck up, you're only spreading disinformation.
What part of it is technically inaccurate?
AMT is a killer feature for businesses. It allows full remote management and recovery of headless servers. It's not a backdoor, it's a frontdoor. The feature has never been hidden, it's been advertised.
Oh god what year is this? Let me help you.
https://en.wikipedia.org/wiki/...
Crying about Intel is part of your disinformation. You're acting like only Intel does this. AMD does it too as well as some of the smaller companies. It's an extremely useful feature.
Let me help you.
https://en.wikipedia.org/wiki/...
However, the companies know the risks (or just want to charge you more for more features) so you have to enable it. You can buy the machines pre-enabled or you can enable it yourself, but it's not enabled by default on consumer PCs. This bug only effects systems with AMT turned on.
I'm a consumer. It came listening on TCP ports on my computer and I sure as f*** never turned it on.
The affected LMS service is enabled and run at startup by default in Windows 10.
Only if you have a CPU and motherboard chipset with vPro, which very few of them do. I had a look at some of the entries on Intel's list of Skylake desktop products for the consumer-level products, but got bored trying to find which of the CPUs had vPro support. I ended up looking at the motherboard chipsets, and only the Q170 supports it. The Z170, H170, Q150, B150, and H110 chipsets do not.
The original poster's point stands, that this does not affect consumer-grade PCs. Most people can happily ignore this vulnerability.
Every single Intel CPU has this hardware. The business SKUs just have it enabled. It's still there with the same blob, likely with the same vulnerability.
I would same that it is unlikely that the lowest of Celerons has all the features of the highest Xeon CPU with just some flags to turn off things like vPro. And I think that it is unlikely that they all have the same vulnerability when the security advisory explicitly states that:
Apparently you just have to make sure the LMS service in Windows is not installed or is disabled. Or not run Windows? That's the software that passes the requests to the firmware.
Not according to this analysis:
So the firmware is intercepting the traffic before the OS gets it. Turning off the LMS service would stop the remote console, but not the ability to reboot the machine into a remote ISO. At that point, your files would be visible unless you encrypted your drive.
As for not running Windows, that won't help. Further down the page linked above, it has instructions for Linux on how to see whether you are vulnerable. It also says:
If your system doesn't support AMT (which, if you're not running a "business-class" machine, it almost definitely does not because that's a special feature you need to pay extra to get), then it doesn't affect you.
AMT is included in every Intel processor sold today. It requires motherboard and network chipset support, but a large portion of consumer devices have Intel supplied chipsets for those too, which are almost certainly enabled for it. What you are talking about is the public-key based Enterprise features, which you need to license separately (usually through the management software that you purchase). But the basics are there - try connecting to your machine on a browser from another machine (from localhost won't work, it needs to come in through the ethernet or wifi adapter) on port 16992. If it acts differently from other random ports that have no service running on them, then your machine has everything it needs to run AMT.