Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk)

Posted by BeauHD on from the keep-an-eye-out dept.

Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.

19 of 164 comments (clear)

  1. Blame SemiAccurate by Khyber · · Score: 3, Informative

    According to them, they've been trying to get Intel to patch this for YEARS, and apparently they never bothered to practice responsible public disclosure in order to force intels hand.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Blame SemiAccurate by Entropy_ajb · · Score: 5, Informative

      That's because SemiAccurate never found an actual bug. Charlie was just concerned about the capabilities of the ME, and that there could be a bug one day. He tried for years to get Intel to just get rid of the ME not to fix any specific bug. You can decide if he was right or not based on this bug.

      It is important to note that based on what has been released so far, you had to opt into to using ME in its full mode to be affected. If you just bought a random PC your system isn't vulnerable.

    2. Re:Blame SemiAccurate by Anonymous Coward · · Score: 4, Insightful

      Eh, most people figured the entire thing was dreamed up by the NSA as soon as they learned what it did and how it worked.

    3. Re:Blame SemiAccurate by MachineShedFred · · Score: 3, Informative

      It's likely, they would just need to hit the hotkey to configure the management engine during POST. But, if they have physical access, you're already had anyway unless you encrypt your disk and have passwords enabled everywhere possible by the fact that they could just image the drive and walk away.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  2. Nine years, eh? by Ungrounded+Lightning · · Score: 3, Insightful

    Isn't that about how log I've been griping on Slashdot about AMT?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Nine years, eh? by WaffleMonster · · Score: 3, Informative

      What's the big deal? Just turn it off in the BIOS.

      Oh nothing... just forgotten computer within a computer listening on wireless and wired Ethernet interfaces that is never updated and has total access to everything. Nothing to be concerned about.

      Not like anyone outside the LAN can break into your computer using AMT unless you have a really messed up router/firewall configuration.

      Good point. I mean all consumer routers are secure and can't be hacked with ease to perpetrate such a hack.

      AMT is NOT defective by design because even when the system is working properly as designed I have to buy a cert from a valid certificate authority and broadcast DHCP on your LAN with domain corresponding to my cert to own you. This makes AMT secure.

      And I believe most laptops have it off by default, which is good because having it on while joining public wireless is a really bad idea.

      The first I ever heard about this AMT shit I was pulling my hair out trying to figure out how the F*** ports were open on my laptop computer that don't even show up in the F**** stack. When the ports remained open even after booting a Linux live distro I was even more pissed off... the last straw was when the ports remained open when the computer was turned off....F***** O..F..F...

      Oh and by the way you can't disable AMT... there is no option to do that in the bios anywhere and believe me I've looked... the best you can do is disable the MMU which is used to virtualize hardware access so the NICs can be shared by both computers at the same time.

  3. Was always a backdoor by Anonymous Coward · · Score: 5, Insightful

    Keep in mind that this is a security hole in a system that was always backdoored by Intel.

    It's a separate CPU with its own network connection, outside the control of the main CPU, it has full access to all the system and it was put in place deliberately by Intel. It communicates using SOAP over HTTP or HTTPS.

    It has been in all server and business chips FROM INTEL for years now....

    It can kill a PC, it can wipe harddisks (killing encryption keys used to access encrypted disks), it can read everything, do anything, rewrite the processor software, bypass any encryption and any security.

    Hardware vendors had access to this for years.
    So NSA would have had access to this for years.
    Russian FSB would have had access to this for years.
    China would have had access to this for years.

    And now every hacker has access.

    When you backdoor technology you end up with bad actors putting Orange Julius in office.

    1. Re:Was always a backdoor by WaffleMonster · · Score: 5, Informative

      Please shut the fuck up, you're only spreading disinformation.

      What part of it is technically inaccurate?

      AMT is a killer feature for businesses. It allows full remote management and recovery of headless servers. It's not a backdoor, it's a frontdoor. The feature has never been hidden, it's been advertised.

      Oh god what year is this? Let me help you.
      https://en.wikipedia.org/wiki/...

      Crying about Intel is part of your disinformation. You're acting like only Intel does this. AMD does it too as well as some of the smaller companies. It's an extremely useful feature.

      Let me help you.
      https://en.wikipedia.org/wiki/...

      However, the companies know the risks (or just want to charge you more for more features) so you have to enable it. You can buy the machines pre-enabled or you can enable it yourself, but it's not enabled by default on consumer PCs. This bug only effects systems with AMT turned on.

      I'm a consumer. It came listening on TCP ports on my computer and I sure as f*** never turned it on.

    2. Re:Was always a backdoor by Z80a · · Score: 3, Insightful

      Okay, can you audit the contents of the firmware of AMT to be sure it don't have any sort of backdoor or truly disable it?

  4. More information please! by Anonymous Coward · · Score: 3, Interesting

    * Does this affect every PC, or just people who bought special "business class" computers?

    * If it affects all PCs, does "pester your machine's manufacturer for a firmware update" mean the same thing as "check your motherboard manufacturer's website for a patch," or does it imply that you're SOL if you built your own PC from parts?

    * Intel's patch is Windows only. Does it affect Linux, or is Intel just being lazy?

    * Should I tell my family to buy new PCs if their old PCs are out of warranty?

    1. Re:More information please! by jmccue · · Score: 4, Informative

      Some help is here

      http://mjg59.dreamwidth.org/48...

      That was in one of the articles

    2. Re:More information please! by butzwonker · · Score: 3, Insightful

      The above posts are disinformation. We're talking about Intel Management Engine, not AMT, the latter is the service, the former is not optional. ME is installed on nearly every Intel-based chipset/motherboard combo since 2008. That's well known and has been discussed for a long time, and it's not unreasonable to assume that the ME has been designed with backdoor features in mind from the start by Israel/US chip developers (though of course nobody in public has a proof for that).

      The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional[32] part in all current (as of 2015) Intel chipsets.[33] According to an independent analysis by Igor Skochinsky, it is based on an ARC core, and the Management Engine runs the ThreadX RTOS from Express Logic. According to this analysis, versions 1.x to 5.x of the ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x use the newer ARCompact (mixed 32- and 16-bit instruction set architecture). Starting with ME 7.1, the ARC processor can also execute signed Java applets. The ME state is stored in a partition of the SPI flash, using the Embedded Flash File System (EFFS).[34]

      The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).[35][36] The ME also communicates with the host via PCI interface.[34] Under Linux, communication between the host and the ME is done via /dev/mei.[33]

      Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

      Quote from Wikipedia Article

      More info: Hackaday article, on attempts to neutralizing it, Slides by Igor Skochinsky, CCC talk by Jana Rutkowska, short 2016 hackaday article. There is plenty of more information on the Net if you care to look it up. Theoretically, ME only gives total access locally, if AMT features are disabled. Practically, it's likely that by a combination with other exploits a remote exploit is also possible. If AMT features are enabled, you're screwed anyway.

      To repeat, this affects almost every Intel machine since 2008 and certainly every current Intel machine, whether you use AMT or not. It's especially problematic if you use full disk encryption.

  5. Default password = admin by eric31415927 · · Score: 4, Interesting

    The CTRL-p menu (after much of the booting had taken place) brought me to a AMT/ME screen where I could turn AMT off after entering a password.
    The default password is "admin" which worked with my refurbished HP Xeon box. I have since changed the password.

  6. Re: Great... by Brockmire · · Score: 5, Funny

    If you ask them right at 12:00, they could!

  7. Re:Great... by MachineShedFred · · Score: 5, Informative

    How is Microsoft going to patch something happening in the hardware underneath their OS, without the OS knowing anything about it? In case you haven't played with Intel AMT or vPro, it has some pretty amazing capabilities for remote management, including being able to persist remote control sessions across OS reboots, including being able to enter BIOS / uEFI setup and make changes, as well as mount an ISO image from a network volume as a 'physical' disk and boot off of it.

    How could an OS that isn't even running patch that?

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  8. Re:Just because you're paranoid by BlueStrat · · Score: 3, Interesting

    You'd have to turn on AMT to begin with in order for this to work.

    Are you absolutely positive AMT cannot be remotely activated? Given the circumstances and who might be involved in this exploit existing and/or remaining unpatched for such a long time, I wouldn't trust that clicking to un-check that AMT box disables all of it, especially if the vulnerability was deliberate.

    This makes me wonder what vulnerability nastiness has remained undiscovered/unreported (intentionally baked-in?) about AMD CPUs and chipsets. You know the TLAs wouldn't ignore AMD.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  9. Actually, right!!!! by Gadget_Guy · · Score: 5, Informative

    The affected LMS service is enabled and run at startup by default in Windows 10.

    Only if you have a CPU and motherboard chipset with vPro, which very few of them do. I had a look at some of the entries on Intel's list of Skylake desktop products for the consumer-level products, but got bored trying to find which of the CPUs had vPro support. I ended up looking at the motherboard chipsets, and only the Q170 supports it. The Z170, H170, Q150, B150, and H110 chipsets do not.

    The original poster's point stands, that this does not affect consumer-grade PCs. Most people can happily ignore this vulnerability.

  10. Re:Great... by Gadget_Guy · · Score: 5, Informative

    Apparently you just have to make sure the LMS service in Windows is not installed or is disabled. Or not run Windows? That's the software that passes the requests to the firmware.

    Not according to this analysis:

    When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console.

    So the firmware is intercepting the traffic before the OS gets it. Turning off the LMS service would stop the remote console, but not the ability to reboot the machine into a remote ISO. At that point, your files would be visible unless you encrypted your drive.

    As for not running Windows, that won't help. Further down the page linked above, it has instructions for Linux on how to see whether you are vulnerable. It also says:

    However, an attacker who enables emulated serial support may be able to use that to configure grub to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.

  11. Re:Explain to me by butzwonker · · Score: 3, Interesting

    Wait a minute. This (partly intentional) flaw affects practically every Intel-based PC since 2008 and some platforms since 2006. It's true that if you have remote management disabled it appears to lead to local exploits only at first sight, but there are many reasons to believe that even with the option disabled remote exploits may become possible. ME allows the running of signed Java programs on a completely separate core, which are sent via ethernet and have full access to memory and i/o controllers, it can be used to side-channel attack disk encryption and the probability that there is a serious bug that allows for remote exploits in such a complex infrastructure is also fairly high.