Slashdot Mirror
Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk)
Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.
NSA/GCHQ retire old abilities as windows 10 gains market share.
According to them, they've been trying to get Intel to patch this for YEARS, and apparently they never bothered to practice responsible public disclosure in order to force intels hand.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Since hardware manufacturers are obviously not going to provide updated firmware to all their products, it would be great if OS providers would patch this.
It doesn't affect consumer grade PCs, only business grade PCs with Intel's remote management enabled.
Isn't that about how log I've been griping on Slashdot about AMT?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Keep in mind that this is a security hole in a system that was always backdoored by Intel.
It's a separate CPU with its own network connection, outside the control of the main CPU, it has full access to all the system and it was put in place deliberately by Intel. It communicates using SOAP over HTTP or HTTPS.
It has been in all server and business chips FROM INTEL for years now....
It can kill a PC, it can wipe harddisks (killing encryption keys used to access encrypted disks), it can read everything, do anything, rewrite the processor software, bypass any encryption and any security.
Hardware vendors had access to this for years.
So NSA would have had access to this for years.
Russian FSB would have had access to this for years.
China would have had access to this for years.
And now every hacker has access.
When you backdoor technology you end up with bad actors putting Orange Julius in office.
* Does this affect every PC, or just people who bought special "business class" computers?
* If it affects all PCs, does "pester your machine's manufacturer for a firmware update" mean the same thing as "check your motherboard manufacturer's website for a patch," or does it imply that you're SOL if you built your own PC from parts?
* Intel's patch is Windows only. Does it affect Linux, or is Intel just being lazy?
* Should I tell my family to buy new PCs if their old PCs are out of warranty?
Thankfully, things like the Raspberry pi are becoming powerful enough and ubiquitous enough that we now have the option of using hardware completely free of the Microsoft-Intel taint.
Then you'll have to check the schematics you used when you hand assembled your motherboard and wrote the all the firmware for it and see what things you enabled.
Why do you idiots always assume that the US would be the only country interested in spying? You think Intel is a US company? Think again.
Now that AMD has released Ryzen you once again have the freedom of choice in the x86 space. The only way Intel will ever changes its ways is if people vote with their wallets and support competition.
"try the mitigations here".... you mean the ones that force you to sign a EULA?? is intel having a laugh?
A vulnerability that affects all other chips would be much worse. At least we all have a choice in which architectures we use.
Time is what keeps everything from happening all at once.
So this would have to be provisioned...
its like IPMI (DRAC)
(from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)
"The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).The ME also communicates with the host via PCI interface.Under Linux, communication between the host and the ME is done via /dev/mei "
so you would have to be completely insane to enable this and not be aware on a server, however -
" AMT is designed for client computing systems as compared with the typically server-based IPMI. "
so all those windows deployments are going to have to do an audit...
Apple laptops AFAIK do not enable this...
have fun auditing this if you manage a windows fleet !
regards
John Jones
https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide%20-%20Rev%201.1.pdf
The CTRL-p menu (after much of the booting had taken place) brought me to a AMT/ME screen where I could turn AMT off after entering a password.
The default password is "admin" which worked with my refurbished HP Xeon box. I have since changed the password.
Every single Intel CPU has this hardware. The business SKUs just have it enabled. It's still there with the same blob, likely with the same vulnerability.
The affected LMS service is enabled and run at startup by default in Windows 10.
Is this a mistake, or a backdoor? If it's deliberate then there should be some way to remotely enable it on computers where it's turned off.
You forgot the part about making your own integrated circuits. An IC is a black box.
There is remote provisioning for Intel ME / Intel vPro, but it's not the easiest thing in the world to set up, much less spoof. For example, you would need to have a certificate signed by a public provider that is specifically signed for Intel ME provisioning, and the domain on that cert needs to match the domain being offered by DHCP on the network. This ensures that a public CA has basically signed off on your ownership of that domain, and that you also own your network to a decent degree by controlling the infrastructure.
Can all of that be beaten? Probably. But at that point there's probably far easier exploits to take advantage of.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
There is remote provisioning for Intel ME / Intel vPro, but it's not the easiest thing in the world to set up, much less spoof. For example, you would need to have a certificate signed by a public provider that is specifically signed for Intel ME provisioning, and the domain on that cert needs to match the domain being offered by DHCP on the network. This ensures that a public CA has basically signed off on your ownership of that domain, and that you also own your network to a decent degree by controlling the infrastructure.
DHCP is not a secure protocol so no point in even mentioning it.
The ability to legitimately obtain a certificate in exchange for money or illegitimately obtain it by compromising ANYONE who has one is hardly what I would consider an insurmountable hurdle... Barely qualifies as a speed bump for a targeted attack.
Is there even a useful revocation procedure for known fraudulently obtained or compromised certs clients are REQUIRED to follow prior to getting 0wn3d?
Can all of that be beaten?
All of what?
You'd have to turn on AMT to begin with in order for this to work.
You'd have to turn on AMT to begin with in order for this to work.
Are you absolutely positive AMT cannot be remotely activated? Given the circumstances and who might be involved in this exploit existing and/or remaining unpatched for such a long time, I wouldn't trust that clicking to un-check that AMT box disables all of it, especially if the vulnerability was deliberate.
This makes me wonder what vulnerability nastiness has remained undiscovered/unreported (intentionally baked-in?) about AMD CPUs and chipsets. You know the TLAs wouldn't ignore AMD.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Interesting.
I just watched Rudolf Marek: AMD x86 SMU firmware analysis yesterday afternoon.
slides
These slides are related to the talk, but might not be an exact match.
Funny anecdote: someone got Linux running on an ARM chip inside a disk drive. That would be really useful for beating up on the algorithms inside Intel's new Optame, er, Optane Memory.
It's funny how many critical security flaws are so devious that they allow state-actors to just walk right in, and when they're found they stick out like sore thumbs. This here is exactly why you shouldn't buy CPUs from NSA-CIA-Intel.
The affected LMS service is enabled and run at startup by default in Windows 10.
Only if you have a CPU and motherboard chipset with vPro, which very few of them do. I had a look at some of the entries on Intel's list of Skylake desktop products for the consumer-level products, but got bored trying to find which of the CPUs had vPro support. I ended up looking at the motherboard chipsets, and only the Q170 supports it. The Z170, H170, Q150, B150, and H110 chipsets do not.
The original poster's point stands, that this does not affect consumer-grade PCs. Most people can happily ignore this vulnerability.
Every single Intel CPU has this hardware. The business SKUs just have it enabled. It's still there with the same blob, likely with the same vulnerability.
I would same that it is unlikely that the lowest of Celerons has all the features of the highest Xeon CPU with just some flags to turn off things like vPro. And I think that it is unlikely that they all have the same vulnerability when the security advisory explicitly states that:
Mod patent up! Indeed, the word's been that AMD has been ignored, either...
...hasN'T.
Wait a minute. This (partly intentional) flaw affects practically every Intel-based PC since 2008 and some platforms since 2006. It's true that if you have remote management disabled it appears to lead to local exploits only at first sight, but there are many reasons to believe that even with the option disabled remote exploits may become possible. ME allows the running of signed Java programs on a completely separate core, which are sent via ethernet and have full access to memory and i/o controllers, it can be used to side-channel attack disk encryption and the probability that there is a serious bug that allows for remote exploits in such a complex infrastructure is also fairly high.
I may be a shill, but you are a plain nut-job! I provided a list of non-server Skylake CPUs and motherboard chipsets along with a list of the chipset model numbers that have vPro facility. All you provided was a strongly worded and unsupported assertion. If you had wanted to prove me wrong and actually believed your own rantings then you would have gone through the entire list and counted how many do and don't support vPro. Then you could have gloated about how wrong I was. But you didn't, so I will. Of the desktop CPUs, 6 support vPro while 22 do not. And as I said before only 1 in 6 of their chipsets would actually allow the CPUs to use that feature. You are wrong.
I do wonder why would you say we shouldn't trust Intel's word on their deliberate backdoors when they have been completely upfront (and even boasted) about the remote access facility of AMT! Nothing about this latest revelation shows that Intel have lied about anything.
If you have no evidence to support your notion that every Intel chip is secretly spying on you then don't swear at people who don't share your paranoid ravings. Some of us would rather have proof before we dusted off our pitchforks. That said, I would never buy a CPU that had remote access built in simply to avoid a potential attack vector. But there is a big difference between prudence and paranoia.
It does exist on intel consumer PCs and this was confirmed over at HN.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
...all silicon was vulnerable?
AMD isn't secure, either.
I told you people there was a game-changing vulnerability out there that resided in pretty much all modern silicon.
Loving those downmods, now, because here I am, shown right. Vindication is always sweet.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
If you turn ME off in BIOS then it doesn't load anything above the primitives to get the system up and running, no higher kernel functions, and certainly no AMT code.
In other news, I owe several people here an apology, as I've stood up for my former employer in the past. I still stand by that they took security seriously, but obviously something big got through.
I worked on ME and this is in AMT (A component of ME, but developed by a different team; in Israel, not US... though the entire shooting match is over there now since they shuttered the US side).
So... time for me to go grab a hunk of humble pie.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
What a disappointingly predictable response. A reply that provides no evidence, and fails to address anything that I said. All we get is name calling and vulgarities. You don't even have the wit to make your insults amusing.
Go on, give me your best shot! Perhaps if you remove your tinfoil hat the CIA might helpfully beam to you some choice phrases.
Have you got a link for that?
Supposedly so they can be located if stolen, but it sounds pretty sketch to me. i think the functionality is branded vPro.
It sounds like, "in order for this to work remotely", however the post reads to me as if a local exploit exists, even if AMT is disabled.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Is there even a useful revocation procedure for known fraudulently obtained or compromised certs clients are REQUIRED to follow prior to getting 0wn3d?
Yeah. Update your firmware. LOL.
How's the AMT/ME shit going to know about a revoked cert? Yeah, it has full network access, but it might not have access to a DNS server to check a URL for revocation. It might be firewalled off from the net (and given the dangerous nature of this thing, it should be). So, yup. Bad cert from a shitty CA, and someone within your network = you are fucked.
People have x-rayed these things. The hardware is still there.
The three threads about it are off the HN front page but if you find them the comments dive right into it. It also happens to exist on my consumer DV9000 and DV7 laptops, I checked by simply pinging the ports with those machines off and yet connected to my wired network.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The price you pay for buying components instead of paying someone else to construct them is that working that out is now your problem.
Machine means the computer as a whole and whom you bought it from. Since you effectively bought it from yourself the company to contact would be yourself. In turn you'd likely pass yourself along to the motherboard manufacturer since that would be where the enabling and disabling of CPU features and chipset choices would be.
If you turn ME off in BIOS then it doesn't load anything above the primitives to get the system up and running, no higher kernel functions, and certainly no AMT code.
Sorry, but we're to simply trust you on this? I don't think so, nothing personal. Since everything is intentionally made extremely difficult to access in order to confirm what AMT may or may not be capable of, the only sane choice is not to trust it. I know I don't. I don't trust AMD either. I never put any data I truly wish to stay secure on an internet-connected machine. You may as well put it on a thumbdrive and mail it to NSA HQ and save some tax dollars.
The DHS needs to be abolished, their leaders and employees blackballed from any government job or office for life, the CIA and NSA need a top-to-bottom purging with their people facing the same restrictions as the newly-unemployed DHS jackboots, and new people and new & effective checks on their powers and scope put in place.
It's either suffer the pain of dealing with the out-of-control US intelligence/domestic law enforcement agencies and departments now, or wait until the US goes full surveillance/police state. At the rate things have been moving, time is likely growing short until that happens.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
I just realised, that 'government job or office' might not be strict enough.
Imagine these clowns, fired, looking for work.
Where might they work next? And who would benefit from their knowledge?