Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk)

Posted by BeauHD on from the keep-an-eye-out dept.

Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.

32 of 164 comments (clear)

  1. Blame SemiAccurate by Khyber · · Score: 3, Informative

    According to them, they've been trying to get Intel to patch this for YEARS, and apparently they never bothered to practice responsible public disclosure in order to force intels hand.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Blame SemiAccurate by Entropy_ajb · · Score: 5, Informative

      That's because SemiAccurate never found an actual bug. Charlie was just concerned about the capabilities of the ME, and that there could be a bug one day. He tried for years to get Intel to just get rid of the ME not to fix any specific bug. You can decide if he was right or not based on this bug.

      It is important to note that based on what has been released so far, you had to opt into to using ME in its full mode to be affected. If you just bought a random PC your system isn't vulnerable.

    2. Re:Blame SemiAccurate by Anonymous Coward · · Score: 4, Insightful

      Eh, most people figured the entire thing was dreamed up by the NSA as soon as they learned what it did and how it worked.

    3. Re:Blame SemiAccurate by 93+Escort+Wagon · · Score: 2

      It is important to note that based on what has been released so far, you had to opt into to using ME in its full mode to be affected. If you just bought a random PC your system isn't vulnerable.

      I don't think that's quite accurate. It sounds to me like if you "just bought a random PC", your system isn't remotely vulnerable... but this can still be exploited by an attacker with physical access to your system.

      --
      #DeleteChrome
    4. Re:Blame SemiAccurate by MachineShedFred · · Score: 3, Informative

      It's likely, they would just need to hit the hotkey to configure the management engine during POST. But, if they have physical access, you're already had anyway unless you encrypt your disk and have passwords enabled everywhere possible by the fact that they could just image the drive and walk away.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    5. Re:Blame SemiAccurate by butzwonker · · Score: 2

      if they have physical access, you're already had anyway unless you encrypt your disk and have passwords enabled everywhere

      Access to ME also allows access to the contents of encrypted disks, via direct memory access while the host operating system is reading and writing them and by grabbing the keys used from memory. That's a huge difference.

  2. Nine years, eh? by Ungrounded+Lightning · · Score: 3, Insightful

    Isn't that about how log I've been griping on Slashdot about AMT?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Nine years, eh? by Narcocide · · Score: 2

      ... unless you have a really messed up router/firewall configuration.

      You mean, like one that uses Intel chips?

    2. Re:Nine years, eh? by WaffleMonster · · Score: 3, Informative

      What's the big deal? Just turn it off in the BIOS.

      Oh nothing... just forgotten computer within a computer listening on wireless and wired Ethernet interfaces that is never updated and has total access to everything. Nothing to be concerned about.

      Not like anyone outside the LAN can break into your computer using AMT unless you have a really messed up router/firewall configuration.

      Good point. I mean all consumer routers are secure and can't be hacked with ease to perpetrate such a hack.

      AMT is NOT defective by design because even when the system is working properly as designed I have to buy a cert from a valid certificate authority and broadcast DHCP on your LAN with domain corresponding to my cert to own you. This makes AMT secure.

      And I believe most laptops have it off by default, which is good because having it on while joining public wireless is a really bad idea.

      The first I ever heard about this AMT shit I was pulling my hair out trying to figure out how the F*** ports were open on my laptop computer that don't even show up in the F**** stack. When the ports remained open even after booting a Linux live distro I was even more pissed off... the last straw was when the ports remained open when the computer was turned off....F***** O..F..F...

      Oh and by the way you can't disable AMT... there is no option to do that in the bios anywhere and believe me I've looked... the best you can do is disable the MMU which is used to virtualize hardware access so the NICs can be shared by both computers at the same time.

  3. Was always a backdoor by Anonymous Coward · · Score: 5, Insightful

    Keep in mind that this is a security hole in a system that was always backdoored by Intel.

    It's a separate CPU with its own network connection, outside the control of the main CPU, it has full access to all the system and it was put in place deliberately by Intel. It communicates using SOAP over HTTP or HTTPS.

    It has been in all server and business chips FROM INTEL for years now....

    It can kill a PC, it can wipe harddisks (killing encryption keys used to access encrypted disks), it can read everything, do anything, rewrite the processor software, bypass any encryption and any security.

    Hardware vendors had access to this for years.
    So NSA would have had access to this for years.
    Russian FSB would have had access to this for years.
    China would have had access to this for years.

    And now every hacker has access.

    When you backdoor technology you end up with bad actors putting Orange Julius in office.

    1. Re:Was always a backdoor by WaffleMonster · · Score: 5, Informative

      Please shut the fuck up, you're only spreading disinformation.

      What part of it is technically inaccurate?

      AMT is a killer feature for businesses. It allows full remote management and recovery of headless servers. It's not a backdoor, it's a frontdoor. The feature has never been hidden, it's been advertised.

      Oh god what year is this? Let me help you.
      https://en.wikipedia.org/wiki/...

      Crying about Intel is part of your disinformation. You're acting like only Intel does this. AMD does it too as well as some of the smaller companies. It's an extremely useful feature.

      Let me help you.
      https://en.wikipedia.org/wiki/...

      However, the companies know the risks (or just want to charge you more for more features) so you have to enable it. You can buy the machines pre-enabled or you can enable it yourself, but it's not enabled by default on consumer PCs. This bug only effects systems with AMT turned on.

      I'm a consumer. It came listening on TCP ports on my computer and I sure as f*** never turned it on.

    2. Re:Was always a backdoor by Z80a · · Score: 3, Insightful

      Okay, can you audit the contents of the firmware of AMT to be sure it don't have any sort of backdoor or truly disable it?

    3. Re:Was always a backdoor by squiggleslash · · Score: 2, Insightful

      A modern Intel CPU contains anything from half a billion to over 1.4 BILLION transistors. If Intel made it easy to audit the AMT firmware, you still wouldn't be able to guarantee a CPU isn't free of backdoors inserted by bad actors.

      Indeed, if I were inserting a backdoor into a CPU, AMT isn't really how I'd do it. It actively takes effort to make AMT accessible over the Internet. I can think of a number of ways to make a backdoor more useful to intelligence or law enforcement agencies. Imagine a CPU that, upon seeing a particular fingerprint in its L1 cache, makes an outgoing connection to a given IP address, and opens a console to it. You could compromise your CPU just by downloading an image, even if served over SSL, even if not visible in your browser, that contains the fingerprint.

      AMT is flawed, but it's a poor fit for the intentional back door for malicious third parties its louder critics claim it is.

      --
      You are not alone. This is not normal. None of this is normal.
  4. More information please! by Anonymous Coward · · Score: 3, Interesting

    * Does this affect every PC, or just people who bought special "business class" computers?

    * If it affects all PCs, does "pester your machine's manufacturer for a firmware update" mean the same thing as "check your motherboard manufacturer's website for a patch," or does it imply that you're SOL if you built your own PC from parts?

    * Intel's patch is Windows only. Does it affect Linux, or is Intel just being lazy?

    * Should I tell my family to buy new PCs if their old PCs are out of warranty?

    1. Re:More information please! by jmccue · · Score: 4, Informative

      Some help is here

      http://mjg59.dreamwidth.org/48...

      That was in one of the articles

    2. Re:More information please! by butzwonker · · Score: 3, Insightful

      The above posts are disinformation. We're talking about Intel Management Engine, not AMT, the latter is the service, the former is not optional. ME is installed on nearly every Intel-based chipset/motherboard combo since 2008. That's well known and has been discussed for a long time, and it's not unreasonable to assume that the ME has been designed with backdoor features in mind from the start by Israel/US chip developers (though of course nobody in public has a proof for that).

      The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34]

      The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36] The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei.[33]

      Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

      Quote from Wikipedia Article

      More info: Hackaday article, on attempts to neutralizing it, Slides by Igor Skochinsky, CCC talk by Jana Rutkowska, short 2016 hackaday article. There is plenty of more information on the Net if you care to look it up. Theoretically, ME only gives total access locally, if AMT features are disabled. Practically, it's likely that by a combination with other exploits a remote exploit is also possible. If AMT features are enabled, you're screwed anyway.

      To repeat, this affects almost every Intel machine since 2008 and certainly every current Intel machine, whether you use AMT or not. It's especially problematic if you use full disk encryption.

    3. Re:More information please! by Anonymous Coward · · Score: 2, Informative

      If your system doesn't support AMT (which, if you're not running a "business-class" machine, it almost definitely does not because that's a special feature you need to pay extra to get), then it doesn't affect you.

      AMT is included in every Intel processor sold today. It requires motherboard and network chipset support, but a large portion of consumer devices have Intel supplied chipsets for those too, which are almost certainly enabled for it. What you are talking about is the public-key based Enterprise features, which you need to license separately (usually through the management software that you purchase). But the basics are there - try connecting to your machine on a browser from another machine (from localhost won't work, it needs to come in through the ethernet or wifi adapter) on port 16992. If it acts differently from other random ports that have no service running on them, then your machine has everything it needs to run AMT.

  5. Re:Not surprised by Anonymous Coward · · Score: 2, Interesting

    Why do you idiots always assume that the US would be the only country interested in spying? You think Intel is a US company? Think again.

  6. Default password = admin by eric31415927 · · Score: 4, Interesting

    The CTRL-p menu (after much of the booting had taken place) brought me to a AMT/ME screen where I could turn AMT off after entering a password.
    The default password is "admin" which worked with my refurbished HP Xeon box. I have since changed the password.

  7. Re:Explain to me by sexconker · · Score: 2

    Every single Intel CPU has this hardware. The business SKUs just have it enabled. It's still there with the same blob, likely with the same vulnerability.

  8. Re: Great... by Brockmire · · Score: 5, Funny

    If you ask them right at 12:00, they could!

  9. Re:Great... by MachineShedFred · · Score: 5, Informative

    How is Microsoft going to patch something happening in the hardware underneath their OS, without the OS knowing anything about it? In case you haven't played with Intel AMT or vPro, it has some pretty amazing capabilities for remote management, including being able to persist remote control sessions across OS reboots, including being able to enter BIOS / uEFI setup and make changes, as well as mount an ISO image from a network volume as a 'physical' disk and boot off of it.

    How could an OS that isn't even running patch that?

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  10. Re:Explain to me by MachineShedFred · · Score: 2

    There is remote provisioning for Intel ME / Intel vPro, but it's not the easiest thing in the world to set up, much less spoof. For example, you would need to have a certificate signed by a public provider that is specifically signed for Intel ME provisioning, and the domain on that cert needs to match the domain being offered by DHCP on the network. This ensures that a public CA has basically signed off on your ownership of that domain, and that you also own your network to a decent degree by controlling the infrastructure.

    Can all of that be beaten? Probably. But at that point there's probably far easier exploits to take advantage of.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  11. Re:Great... by Tanktalus · · Score: 2

    When it *is* running, it could apply the firmware to the BIOS/UEFI system. This may require a reboot somewhere in the middle, but so be it. And then the system would be safe.

    Of course, that greatly simplifies the concept since every motherboard has its own variation on BIOS/UEFI. As long as we're dreaming of ponies and rainbows, yeah, this would be nice. But I can see it being a huge headache for MS or Linux distros to manage.

    And just think about the poor saps running Hackintosh systems... no way Apple is going to ship firmware for non-Apple-branded systems! :)

  12. Re:Just because you're paranoid by ArmoredDragon · · Score: 2

    You'd have to turn on AMT to begin with in order for this to work.

  13. Re:Just because you're paranoid by BlueStrat · · Score: 3, Interesting

    You'd have to turn on AMT to begin with in order for this to work.

    Are you absolutely positive AMT cannot be remotely activated? Given the circumstances and who might be involved in this exploit existing and/or remaining unpatched for such a long time, I wouldn't trust that clicking to un-check that AMT box disables all of it, especially if the vulnerability was deliberate.

    This makes me wonder what vulnerability nastiness has remained undiscovered/unreported (intentionally baked-in?) about AMD CPUs and chipsets. You know the TLAs wouldn't ignore AMD.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  14. Do you think this was accidental? by Anonymous Coward · · Score: 2, Interesting

    It's funny how many critical security flaws are so devious that they allow state-actors to just walk right in, and when they're found they stick out like sore thumbs. This here is exactly why you shouldn't buy CPUs from NSA-CIA-Intel.

  15. Actually, right!!!! by Gadget_Guy · · Score: 5, Informative

    The affected LMS service is enabled and run at startup by default in Windows 10.

    Only if you have a CPU and motherboard chipset with vPro, which very few of them do. I had a look at some of the entries on Intel's list of Skylake desktop products for the consumer-level products, but got bored trying to find which of the CPUs had vPro support. I ended up looking at the motherboard chipsets, and only the Q170 supports it. The Z170, H170, Q150, B150, and H110 chipsets do not.

    The original poster's point stands, that this does not affect consumer-grade PCs. Most people can happily ignore this vulnerability.

  16. Re:Great... by kbg · · Score: 2

    No you are actually incorrect. It is common for the operating system to update bugs in specific firmware. For example the microcode for the CPU can either be updated by flashing the BIOS or through an OS update.

  17. Re:Great... by Gadget_Guy · · Score: 5, Informative

    Apparently you just have to make sure the LMS service in Windows is not installed or is disabled. Or not run Windows? That's the software that passes the requests to the firmware.

    Not according to this analysis:

    When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console.

    So the firmware is intercepting the traffic before the OS gets it. Turning off the LMS service would stop the remote console, but not the ability to reboot the machine into a remote ISO. At that point, your files would be visible unless you encrypted your drive.

    As for not running Windows, that won't help. Further down the page linked above, it has instructions for Linux on how to see whether you are vulnerable. It also says:

    However, an attacker who enables emulated serial support may be able to use that to configure grub to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.

  18. Re:Explain to me by butzwonker · · Score: 3, Interesting

    Wait a minute. This (partly intentional) flaw affects practically every Intel-based PC since 2008 and some platforms since 2006. It's true that if you have remote management disabled it appears to lead to local exploits only at first sight, but there are many reasons to believe that even with the option disabled remote exploits may become possible. ME allows the running of signed Java programs on a completely separate core, which are sent via ethernet and have full access to memory and i/o controllers, it can be used to side-channel attack disk encryption and the probability that there is a serious bug that allows for remote exploits in such a complex infrastructure is also fairly high.

  19. Re:Fuck off retard by Gadget_Guy · · Score: 2

    I may be a shill, but you are a plain nut-job! I provided a list of non-server Skylake CPUs and motherboard chipsets along with a list of the chipset model numbers that have vPro facility. All you provided was a strongly worded and unsupported assertion. If you had wanted to prove me wrong and actually believed your own rantings then you would have gone through the entire list and counted how many do and don't support vPro. Then you could have gloated about how wrong I was. But you didn't, so I will. Of the desktop CPUs, 6 support vPro while 22 do not. And as I said before only 1 in 6 of their chipsets would actually allow the CPUs to use that feature. You are wrong.

    I do wonder why would you say we shouldn't trust Intel's word on their deliberate backdoors when they have been completely upfront (and even boasted) about the remote access facility of AMT! Nothing about this latest revelation shows that Intel have lied about anything.

    If you have no evidence to support your notion that every Intel chip is secretly spying on you then don't swear at people who don't share your paranoid ravings. Some of us would rather have proof before we dusted off our pitchforks. That said, I would never buy a CPU that had remote access built in simply to avoid a potential attack vector. But there is a big difference between prudence and paranoia.