Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk)

Posted by BeauHD on from the keep-an-eye-out dept.

Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.

6 of 164 comments (clear)

  1. Nine years, eh? by Ungrounded+Lightning · · Score: 3, Insightful

    Isn't that about how log I've been griping on Slashdot about AMT?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  2. Was always a backdoor by Anonymous Coward · · Score: 5, Insightful

    Keep in mind that this is a security hole in a system that was always backdoored by Intel.

    It's a separate CPU with its own network connection, outside the control of the main CPU, it has full access to all the system and it was put in place deliberately by Intel. It communicates using SOAP over HTTP or HTTPS.

    It has been in all server and business chips FROM INTEL for years now....

    It can kill a PC, it can wipe harddisks (killing encryption keys used to access encrypted disks), it can read everything, do anything, rewrite the processor software, bypass any encryption and any security.

    Hardware vendors had access to this for years.
    So NSA would have had access to this for years.
    Russian FSB would have had access to this for years.
    China would have had access to this for years.

    And now every hacker has access.

    When you backdoor technology you end up with bad actors putting Orange Julius in office.

    1. Re:Was always a backdoor by Z80a · · Score: 3, Insightful

      Okay, can you audit the contents of the firmware of AMT to be sure it don't have any sort of backdoor or truly disable it?

    2. Re:Was always a backdoor by squiggleslash · · Score: 2, Insightful

      A modern Intel CPU contains anything from half a billion to over 1.4 BILLION transistors. If Intel made it easy to audit the AMT firmware, you still wouldn't be able to guarantee a CPU isn't free of backdoors inserted by bad actors.

      Indeed, if I were inserting a backdoor into a CPU, AMT isn't really how I'd do it. It actively takes effort to make AMT accessible over the Internet. I can think of a number of ways to make a backdoor more useful to intelligence or law enforcement agencies. Imagine a CPU that, upon seeing a particular fingerprint in its L1 cache, makes an outgoing connection to a given IP address, and opens a console to it. You could compromise your CPU just by downloading an image, even if served over SSL, even if not visible in your browser, that contains the fingerprint.

      AMT is flawed, but it's a poor fit for the intentional back door for malicious third parties its louder critics claim it is.

      --
      You are not alone. This is not normal. None of this is normal.
  3. Re:Blame SemiAccurate by Anonymous Coward · · Score: 4, Insightful

    Eh, most people figured the entire thing was dreamed up by the NSA as soon as they learned what it did and how it worked.

  4. Re:More information please! by butzwonker · · Score: 3, Insightful

    The above posts are disinformation. We're talking about Intel Management Engine, not AMT, the latter is the service, the former is not optional. ME is installed on nearly every Intel-based chipset/motherboard combo since 2008. That's well known and has been discussed for a long time, and it's not unreasonable to assume that the ME has been designed with backdoor features in mind from the start by Israel/US chip developers (though of course nobody in public has a proof for that).

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34]

    The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36] The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei.[33]

    Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

    Quote from Wikipedia Article

    More info: Hackaday article, on attempts to neutralizing it, Slides by Igor Skochinsky, CCC talk by Jana Rutkowska, short 2016 hackaday article. There is plenty of more information on the Net if you care to look it up. Theoretically, ME only gives total access locally, if AMT features are disabled. Practically, it's likely that by a combination with other exploits a remote exploit is also possible. If AMT features are enabled, you're screwed anyway.

    To repeat, this affects almost every Intel machine since 2008 and certainly every current Intel machine, whether you use AMT or not. It's especially problematic if you use full disk encryption.