Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Intel Privacy Security Hardware Technology

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk) 164

Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.
This discussion has been archived. No new comments can be posted.

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008

Comments Filter:
  • by Anonymous Coward

    NSA/GCHQ retire old abilities as windows 10 gains market share.

  • Blame SemiAccurate (Score:4, Informative)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Monday May 01, 2017 @07:18PM (#54337979) Homepage Journal

    According to them, they've been trying to get Intel to patch this for YEARS, and apparently they never bothered to practice responsible public disclosure in order to force intels hand.

    • by Entropy_ajb ( 227170 ) on Monday May 01, 2017 @08:04PM (#54338233)

      That's because SemiAccurate never found an actual bug. Charlie was just concerned about the capabilities of the ME, and that there could be a bug one day. He tried for years to get Intel to just get rid of the ME not to fix any specific bug. You can decide if he was right or not based on this bug.

      It is important to note that based on what has been released so far, you had to opt into to using ME in its full mode to be affected. If you just bought a random PC your system isn't vulnerable.

      • It is important to note that based on what has been released so far, you had to opt into to using ME in its full mode to be affected. If you just bought a random PC your system isn't vulnerable.

        I don't think that's quite accurate. It sounds to me like if you "just bought a random PC", your system isn't remotely vulnerable... but this can still be exploited by an attacker with physical access to your system.

        • by MachineShedFred ( 621896 ) on Monday May 01, 2017 @11:17PM (#54338881) Journal

          It's likely, they would just need to hit the hotkey to configure the management engine during POST. But, if they have physical access, you're already had anyway unless you encrypt your disk and have passwords enabled everywhere possible by the fact that they could just image the drive and walk away.

          • by ( 4475953 )

            if they have physical access, you're already had anyway unless you encrypt your disk and have passwords enabled everywhere

            Access to ME also allows access to the contents of encrypted disks, via direct memory access while the host operating system is reading and writing them and by grabbing the keys used from memory. That's a huge difference.

  • by Anonymous Coward

    Since hardware manufacturers are obviously not going to provide updated firmware to all their products, it would be great if OS providers would patch this.

    • I think you're confusing drivers with firmware. Firmware is a binary blob specific to the device hardware, in this case the Intel Chipset. It's completely unrelated to the OS. It'd be like asking the electric company to set the clock on your microwave.
    • Apparently you just have to make sure the LMS service in Windows is not installed or is disabled. Or not run Windows? That's the software that passes the requests to the firmware.

      • Re:Great... (Score:5, Informative)

        by Gadget_Guy ( 627405 ) on Tuesday May 02, 2017 @04:49AM (#54339489)

        Apparently you just have to make sure the LMS service in Windows is not installed or is disabled. Or not run Windows? That's the software that passes the requests to the firmware.

        Not according to this analysis [dreamwidth.org]:

        When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console.

        So the firmware is intercepting the traffic before the OS gets it. Turning off the LMS service would stop the remote console, but not the ability to reboot the machine into a remote ISO. At that point, your files would be visible unless you encrypted your drive.

        As for not running Windows, that won't help. Further down the page linked above, it has instructions for Linux on how to see whether you are vulnerable. It also says:

        However, an attacker who enables emulated serial support may be able to use that to configure grub to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.

        • Except this article is about https://nvd.nist.gov/vuln/deta... [nist.gov] which is a local unprivileged user gaining access to AMT via LMS

          Turning off LMS mitigates this vulnerability.

          The source you quote also says this:

          How certain are you about any of this?
          Not hugely

          • LMS does allow local applications to talk to AMT, but the vulnerability exists over the network whether you have LMS or not.

            According to Intel's disclosure [intel.com] (upon which your linked page was based), the correct way to fix this vulnerability is to update the firmware. If you can't do that then you are directed to unprovision the Intel manageability SKU to prevent network attacks and then disable LMS to mitigate against local attacks. From the INTEL-SA-00075 Mitigation Guide [intel.com]:

            These mitigations are intended to p

    • Re:Great... (Score:5, Informative)

      by MachineShedFred ( 621896 ) on Monday May 01, 2017 @11:21PM (#54338889) Journal

      How is Microsoft going to patch something happening in the hardware underneath their OS, without the OS knowing anything about it? In case you haven't played with Intel AMT or vPro, it has some pretty amazing capabilities for remote management, including being able to persist remote control sessions across OS reboots, including being able to enter BIOS / uEFI setup and make changes, as well as mount an ISO image from a network volume as a 'physical' disk and boot off of it.

      How could an OS that isn't even running patch that?

      • When it *is* running, it could apply the firmware to the BIOS/UEFI system. This may require a reboot somewhere in the middle, but so be it. And then the system would be safe.

        Of course, that greatly simplifies the concept since every motherboard has its own variation on BIOS/UEFI. As long as we're dreaming of ponies and rainbows, yeah, this would be nice. But I can see it being a huge headache for MS or Linux distros to manage.

        And just think about the poor saps running Hackintosh systems... no way Apple is

        • But I can see it being a huge headache for MS or Linux distros to manage.

          As well as being certain to break some number of PCs. If stuff goes wrong and your machine won't boot after you apply a firmware update, that's between you and the maker of your machine / motherboard. If your OS decides to do it, even with your approval, then the OS maker is also on the hook.

        • Intel has a tool called Firmware update local (fwupdlclw.exe / fwupdlcl.exe) that can update the ME without a reboot of the host OS.
          Fun trivia, someone in marketing tried naming it "Intel Firmware Update" and started wondering why all the engineers started laughing our arses off.
          Anyway, this tool and a binary image could be deployed via windows update easily enough.

  • Nine years, eh? (Score:4, Insightful)

    by Ungrounded Lightning ( 62228 ) on Monday May 01, 2017 @07:48PM (#54338163) Journal

    Isn't that about how log I've been griping on Slashdot about AMT?

    • What's the big deal? Just turn it off in the BIOS.

      Not like anyone outside the LAN can break into your computer using AMT unless you have a really messed up router/firewall configuration.

      And I believe most laptops have it off by default, which is good because having it on while joining public wireless is a really bad idea.
      • ... unless you have a really messed up router/firewall configuration.

        You mean, like one that uses Intel chips?

      • What's the big deal? Just turn it off in the BIOS.

        Then how do you know it's really off?

        Also: I see to recall documents that said it didn't turn off. Instead it went back to the new-machine configuration, where it would respond to the first comer with adequate credentials to introduce itself as the IT department of its new owner, just getting around to welcoming it to the network and givig it its first configuration.

        • No, that's if you unprovision it.
          Turning it off in BIOS basically makes it brain dead.
          It still loads the lower functions so it can do CPU uCode patch, PMC, and similar, but none of the application level stuff even boots up.

          • Turning it off in BIOS basically makes it brain dead.
            It still loads the lower functions so it can do CPU uCode patch, PMC, and similar, but none of the application level stuff even boots up.

            How do we KNOW that?

            It's got the port open. If it's really off, why is it open? It's don't SOMETHING with it.

            How do we know. for instamce, that turning it off in the BIOS doesn't just make it useless for the owner's IT organization, but still functional when, say, the NSA does the right "port knocking" or other secret-

      • Re:Nine years, eh? (Score:4, Informative)

        by WaffleMonster ( 969671 ) on Monday May 01, 2017 @10:59PM (#54338845)

        What's the big deal? Just turn it off in the BIOS.

        Oh nothing... just forgotten computer within a computer listening on wireless and wired Ethernet interfaces that is never updated and has total access to everything. Nothing to be concerned about.

        Not like anyone outside the LAN can break into your computer using AMT unless you have a really messed up router/firewall configuration.

        Good point. I mean all consumer routers are secure and can't be hacked with ease to perpetrate such a hack.

        AMT is NOT defective by design because even when the system is working properly as designed I have to buy a cert from a valid certificate authority and broadcast DHCP on your LAN with domain corresponding to my cert to own you. This makes AMT secure.

        And I believe most laptops have it off by default, which is good because having it on while joining public wireless is a really bad idea.

        The first I ever heard about this AMT shit I was pulling my hair out trying to figure out how the F*** ports were open on my laptop computer that don't even show up in the F**** stack. When the ports remained open even after booting a Linux live distro I was even more pissed off... the last straw was when the ports remained open when the computer was turned off....F***** O..F..F...

        Oh and by the way you can't disable AMT... there is no option to do that in the bios anywhere and believe me I've looked... the best you can do is disable the MMU which is used to virtualize hardware access so the NICs can be shared by both computers at the same time.

        • *most* BIOS's have the ability to turn ME off.

        • AMT isn't standard in consumer-grade north-bridges, so almost all of your fear-mongering is irrational and without merit.

          And I really don't believe your story since almost every laptop with AMT I have ever touched (over two hundred at this point) came with AMT turned off by default.

          Especially when you said you disabled your processor's MMU? Are you just randomly googling computer acronyms and using them in your rant? Because there is no logical reason to disable the memory management unit on a standar
      • Every system ships with it turned off unless you have some kind of VAR service that images your system and turns it on before you receive it.

        It's far more likely that if you have implemented the use of this stuff on your network, that you have an automatic provisioning process to turn it on when it first hits the network.

  • by Anonymous Coward on Monday May 01, 2017 @07:50PM (#54338169)

    Keep in mind that this is a security hole in a system that was always backdoored by Intel.

    It's a separate CPU with its own network connection, outside the control of the main CPU, it has full access to all the system and it was put in place deliberately by Intel. It communicates using SOAP over HTTP or HTTPS.

    It has been in all server and business chips FROM INTEL for years now....

    It can kill a PC, it can wipe harddisks (killing encryption keys used to access encrypted disks), it can read everything, do anything, rewrite the processor software, bypass any encryption and any security.

    Hardware vendors had access to this for years.
    So NSA would have had access to this for years.
    Russian FSB would have had access to this for years.
    China would have had access to this for years.

    And now every hacker has access.

    When you backdoor technology you end up with bad actors putting Orange Julius in office.

    • It has been in all server and business chips FROM INTEL for years now....

      Due to customer demand. They all got sick of paying 3rd party motherboard vendors for the same feature.

    • You do know this feature has been in non x86/64 boxes for years right?

    • by Holi ( 250190 )
      Let's not forget you have to enable it to be affected so calling it a hidden backdoor is hyperbole at it's best and fraudulent at the worst.

      "How bad is this
      That depends. Unless you've explicitly enabled AMT at any point, you're probably fine. The drivers that allow
      local users to provision the system would require administrative rights to install, so as long as you don't have
      them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, thoug
  • by Anonymous Coward on Monday May 01, 2017 @07:55PM (#54338189)

    * Does this affect every PC, or just people who bought special "business class" computers?

    * If it affects all PCs, does "pester your machine's manufacturer for a firmware update" mean the same thing as "check your motherboard manufacturer's website for a patch," or does it imply that you're SOL if you built your own PC from parts?

    * Intel's patch is Windows only. Does it affect Linux, or is Intel just being lazy?

    * Should I tell my family to buy new PCs if their old PCs are out of warranty?

    • by jmccue ( 834797 ) on Monday May 01, 2017 @08:08PM (#54338255) Homepage

      Some help is here

      http://mjg59.dreamwidth.org/48... [dreamwidth.org]

      That was in one of the articles

    • Re: (Score:1, Informative)

      by Anonymous Coward
      If your system doesn't support AMT (which, if you're not running a "business-class" machine, it almost definitely does not because that's a special feature you need to pay extra to get), then it doesn't affect you.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        If your system doesn't support AMT (which, if you're not running a "business-class" machine, it almost definitely does not because that's a special feature you need to pay extra to get), then it doesn't affect you.

        AMT is included in every Intel processor sold today. It requires motherboard and network chipset support, but a large portion of consumer devices have Intel supplied chipsets for those too, which are almost certainly enabled for it. What you are talking about is the public-key based Enterprise features, which you need to license separately (usually through the management software that you purchase). But the basics are there - try connecting to your machine on a browser from another machine (from localhost

  • by Anonymous Coward

    Now that AMD has released Ryzen you once again have the freedom of choice in the x86 space. The only way Intel will ever changes its ways is if people vote with their wallets and support competition.

  • "try the mitigations here".... you mean the ones that force you to sign a EULA?? is intel having a laugh?

  • So this would have to be provisioned...

    its like IPMI (DRAC)

    (from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)

    "The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and

  • by eric31415927 ( 861917 ) on Monday May 01, 2017 @10:18PM (#54338765)

    The CTRL-p menu (after much of the booting had taken place) brought me to a AMT/ME screen where I could turn AMT off after entering a password.
    The default password is "admin" which worked with my refurbished HP Xeon box. I have since changed the password.

  • Interesting.

    I just watched Rudolf Marek: AMD x86 SMU firmware analysis [youtube.com] yesterday afternoon.
    slides [events.ccc.de]

    These slides are related to the talk, but might not be an exact match.

    Funny anecdote: someone got Linux running on an ARM chip inside a disk drive. That would be really useful for beating up on the algorithms inside Intel's new Optame, er, Optane Memory.

  • by Anonymous Coward

    It's funny how many critical security flaws are so devious that they allow state-actors to just walk right in, and when they're found they stick out like sore thumbs. This here is exactly why you shouldn't buy CPUs from NSA-CIA-Intel.

  • ...all silicon was vulnerable?

    AMD isn't secure, either.

    I told you people there was a game-changing vulnerability out there that resided in pretty much all modern silicon.

    Loving those downmods, now, because here I am, shown right. Vindication is always sweet.

  • Supposedly so they can be located if stolen, but it sounds pretty sketch to me. i think the functionality is branded vPro.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...