Remote security exploit in all 2008+ Intel platforms

Oct 14 23:02

Remote security exploit in all 2008+ Intel platforms Updated 2x: Nehalem through Kaby all remotely and locally hackable May 1, 2017 by Charlie Demerjian Intel - logoEvery Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened. The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic. First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had. Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught. The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not. While these capabilities sounds crazy to put on a PC, they are there for very legitimate reasons. If an IT organization needs to re-image a system, you need to be able to remotely write to disk. Virus cleaning? Scan and write arbitrary bits. User logging and (legitimate) corporate snooping? That too. In short everything you need to manage a box can be exploited in ugly ways. When Intel told us that a version of AMT could be used to bare metal image a dead machine over a cellular connection, we turned white. We explained to them why SemiAccurate thought this was a bad idea and they respectfully disagreed. I’ll bet they aren’t laughing now. The news today is more problematic than it seems though, the nuances of security disclosures tend to be lost on those not involved in the field. What we mean by this is if a company knows about a flaw and doesn’t fix it for quite literally years, there usually is a reason why. For a security hole that was present for about a decade that suddenly gets patched, this means an affected party with the leverage to get Intel to act did just that. Again. We are cheering that the hole is being fixed and Intel is issuing a patch. That and Intel has plans on when to issue “reactive” NDAs to customers several weeks before the “proactive” and “public” disclosures. [Editor’s emphasis] That begs the question of reacting to what? If it isn’t being exploited, there is nothing to react to before it is disclosed, right? Back to the point, what is the issue? Again we won’t be specific until the fixes are out but on April 25, Intel released a firmware fix for this unnamed issue. It affects every Intel machine from Nehalem in 2008 to Kaby Lake in 2017. The vulnerability affects AMT, ISM, and SBT bearing machines. For those not up on Intel security acronyms, this is every Intel box shipped with an Intel chipset for the past decade or so. Depending on whether you are a glass half empty or half full type, there is a bit of good news. This flaw is remotely exploitable only if you have AMT turned on, that is the ‘good’ news. The bad news is that if you don’t have it turned on or provisioned the vulnerability is still exploitable locally. If you aren’t the half full type, you might sum this up by saying there is no way to protect a manageable Intel based computer until this hole has been patched, it is that bad. Let me repeat, you can not protect a manageable PC or server with this flaw until there is a patch, period. This flaw is present in ME firmware from version 6.0-11.6, things before and after those numbers are not affected probably because they used the AMT engine with the non-ARC CPU cores in older iterations. Luckily Intel has some mitigation options for the affected users, that is you, whether you know it or not. They have two fixes for provisioned AMT and non-provisioned boxes, both prevent the issue from happening until the firmware update has been distributed by OEMs. Unfortunately since this issue is not disclosed officially yet, they won’t tell you what it is. Due to the severity of the issue, we highly recommend you make these changes immediately, don’t wait for the official disclosure. If you have provisioned AMT or ISM on your systems, you should disable it in the Intel MEBx. If you haven’t provisioned these, or have and want to mitigate the local vulnerability too, there are more steps to take. If you have a box with AMT, ISM, or SBT, you need to disable or uninstall Local Manageability Service (LMS) on your boxes. Intel helpfully points out that doing this will mean your box can’t be managed using those services when you disable them. If this makes you think about whether or not to disable those things, trust us, don’t think about it, disable them NOW. This brings us to a very ugly point. Intel has put AMT and it’s variants into every device they make. Some you can’t see because it is fused off but off is a very strong term. There are several features that AMT provides that are present in consumer systems even though the ‘technology’ isn’t there. This is one of the arguments that SemiAccurate has had with Intel security personnel over the years, we have begged them to offer a SKU without the AMT hardware for just this very reason. Intel didn’t, the pressure to lock corporate customers in to their silicon was too high. With this exploit, every Intel box for 9+ years is now vulnerable because you couldn’t buy a box without it even if you wanted to other than a few older 4S servers. If you deployed Intel’s management solutions like AMT or SBS, you know the ones we mocked, you now have to turn it off or face remote exploitation. If you are a large corporation with AMT deployed, and most companies have deployed it, turning it off is easy, just a console command or three and it is done. Turning it back on however means going to every desktop, laptop, and server in your organization manually patching the BIOS and ME firmware, then turning the ME features like AMT back on. Manually. This all assumes that there is a patch for your machine. Intel has a slew of BIOS/ME firmware patches out and in the hands of OEMs now. From here it isn’t Intel’s problem, and we mean that without even a hint of sarcasm. Intel has done their part and delivered the updated firmware to OEMs, it is now up to them to do the right thing. Some will. The problem from here is twofold starting with no-name PCs. If you have a white-box PC or one from a sketchy vendor, chances are they won’t bother with a firmware update. Security is a cost center and most OEMs run on margins too thin to bother with security patches even if they cared. Most simply don’t care. On the other hand OEMs who do actually care, that would be most of the big ones like Dell, HP, Lenovo, and so on, will put out patches for their machines. The second problem is for how long? No not for how long will they keep patches up but how far back will they issue the patches for? Most OEMs don’t patch things out of warranty for good reason, this is a fair thing for them to do. Most PCs have a one or three year warranty with five being the rare exception for some boxes like servers. Most of the PCs in this category from tier 1 and 2 vendors should have patches issued in short order. Check for them daily and apply them immediately, really. At best though this means there will be patches out for less than half of the affected machines. Do you or your organization have any machines in service but out of warranty? I’ll bet you do. What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices. I could go on but all of these are likely PC based and anything infrastructure related is likely networked, management engine enabled, and quite possibly in warranty from the service provider. But quite likely out of warranty from the board vendor who made the underlying PC the service it is based on. Do you know what is in your systems? I’ll bet you think you do. So this Intel AMT/ISM/SBT vulnerability is the proverbial ‘big one’. It is remotely exploitable if you have Intel’s management solutions in use, locally exploitable if you have them provisioned in your machine. You have them on your machine. You really need to turn them off, uninstall all the pieces, and do it now, don’t wait for the official word on WW26. That is the end of June for non-Intelspeak people, they will officially issue this guidance then along with OEM disclosures. Because SemiAccurate strongly suspects this vulnerability is being exploited in the wild as we speak, you should take the official mitigation steps as soon as possible. Then contact your OEMs and strongly suggest that firmware patches for every system, including-out-of warranty systems, would be appreciated by you. Then go over every embedded Intel board with a fine tooth comb. Remember it is every Intel system from Nehalem in 2008 to Kaby Lake in 2017, ME firmware version from 6.0-11.6. If you have or suspect you have these, act now. Really. This is the big one but you can take some corrective action before it is too late. Richard Stallman was right about firmware, and there are alternatives now too.S|A TLDR; Average computer user – If your system is 10 years old or newer it is likely exploitable, check for patches daily and install all patches immediately. If there is no patch, back up data and replace.

[chan3] general
Oct 14 23:11

Old news.

[chan] general

Subject Last Count
bliss Feb 25 17:50 5
(no subject) Feb 25 17:48 19
Hardware viruses, trojans, backdoors. Feb 25 17:30 3
978DA7EA45CD4ECA949DC8D4E44ABC30 Feb 25 17:02 11
Secret Radio Frequencies Feb 25 16:55 4
online-anonymity-project-proxyham-mysteriously-vanishes Feb 25 16:47 1
82AE01B9FF0722B70C3B4B61EAABF978 Feb 25 16:45 1
37A18712AC096D4E35A8CA7067E6345A Feb 25 16:41 1
8E0F47FDCBCC794EF3E38BDF7225D918 Feb 25 16:37 1
795F4ACE4B79A1C3EE6F241D4BEC0440 Feb 25 16:36 1
65652D7799DFC6AE6305F5B9B97EC176 Feb 25 16:15 2
DAFUQ? Explain this to me Feb 25 14:19 3
1FFC8731EB8C47DCFF0EFB777FF64172 Feb 25 13:58 1
2D445A4699A9877B9B72CC416B3369A1 Feb 25 13:09 1
B5636366C5703ACCCBCE47DA943E183D Feb 25 13:07 1
The Masonic anti-God Globe Earth Scam Feb 25 10:09 2
3A1DC31A8E08A92E108D20FC487A8F0A Feb 25 09:50 1
A Flat Earth Song: "Puppet Show" YOU HAVE TO HEAR THIS!! Feb 25 09:31 3
> His mental illness should not be a concern to you. Feb 25 08:57 2
44A76B43CEB3F8686E4C54CF7625FB60 Feb 25 08:41 1
Keep Calm and Delete Feb 25 08:34 1
Programmer offering hacking services [certified usa] Feb 25 08:27 3
Bitcoin payments wordpress Feb 25 08:16 8
Nikola Tesla, inventor of radio, microwave, was a Flat Earther Feb 25 08:09 2
B261717BDFD27381D0D8384E539BBD00 Feb 25 08:04 1
Julian Assange is a Fraud - Protocols of Zion - Rich Planet TV Feb 25 07:58 1
Actually USA intelligence agencies DO CARE about citizens privacy... Feb 25 07:56 1
US Intelligence Agencies do care about privacy Feb 25 07:56 1
Globe Earthers Spend More Effort Opposing the Flat Earth Than They Spend Opposing Child Molestors. Feb 25 07:50 2
9BCC0780B64294EFCF9CDB5A77AB6A40 Feb 25 07:48 1
Flat earth We didn't land on the Moon Former NASA Scientist admits Game over for NASA Feb 25 07:08 2
Oh crap. Should have googled it first: Feb 25 06:50 1
How far are the stars? Feb 25 06:35 1
The Papal Bloodlines / The Secret Shadow Hierarchy of The Jesuit Order Feb 25 01:57 1
The Purity Of Loyola's Blood, Jews & The Jesuits (2017) Feb 25 01:22 1
Need C programming full course for free Feb 25 01:06 2
The time to choose is now Feb 25 00:16 4
AF891D65323022172F3E75013AA85875 Feb 24 21:52 1
BCC35DF9E516F2AD540D448F1EBD768B Feb 24 20:08 1
amazon sucks Feb 24 19:59 2
67AEC724FE7611F151217C4C88ABCABE Feb 24 19:44 1
Breakthrough Nanotechnology Will Bring 100 Terabyte 3.5-inch Digital Data Storage Disks Feb 24 19:43 5 Feb 24 19:14 2
DA4211BCF55D74EDBA8B98A49E8BAEC2 Feb 24 19:04 1
Four Patents That Changed Enterprise Storage Feb 24 18:59 1
InPhase Demos 515 Gigabits Per Square Inch Data Density Feb 24 18:58 1
SOGO 7 DATA GLOVES Feb 24 18:53 1
2610F99FF47FC6F6D579362255D9B5D9 Feb 24 17:08 1
10BB67C909B65664FB63EDC828AEE242 Feb 24 17:05 2
4D79130A75C66BF3DB229F05D4A90802 Feb 24 16:18 4
53ED5606E95EE48C18B24B20D2B71448 Feb 24 13:54 1
2EEC61FAE3062939642A51AEDB74CC9A Feb 24 13:01 1
ED08DE33338294F4BEF09F9221D1BA9D Feb 24 12:43 1
Secure alternative to Bitmessage Feb 24 12:35 1
Everything wrong with SpaceX "Car in Space" ✞ Feb 24 12:31 1
Roman Cult 0f The Khazars - The Best Documentary Ever Feb 24 12:12 1
316FA63F7F50974B06A3F6DCC6C4B7DA Feb 24 11:57 1
Consider this problem. Feb 24 10:56 5
FLAT EARTH, why is there even a debate? ✞ Feb 24 10:32 3
Code editing. Feb 24 10:32 1
9789F25C5F926A0C188E79A4972C9CC7 Feb 24 10:17 1
0B71EEFA0593D95EA8F84C9CFAE1E7EE Feb 24 09:54 1
teen girl Feb 24 09:50 26
B8DEFBAC42E22C503F985920212A213A Feb 24 09:27 1
http://33xtkivab2nthghe.onion/7uim34gdxs5z6b5l72nbji7ste Feb 24 09:24 3
Something About the Space X Launch Nobody's Talking About Feb 24 09:10 1
Werner Von Brun & Elon Musk Feb 24 09:09 1
Activity? Feb 24 08:59 10
ED47D78C3BD96F1323A62C8F22DA9E9F Feb 24 08:55 1
4D59FE4E24CB9CA99A4FD42C768EB49F Feb 24 08:25 1
7CD1D043C41289A946137929383E78D9 Feb 24 07:37 1
3C40541C726C0B016ED981207822F5A0 Feb 24 07:08 1
13E680DC5B84DF0D03767ECF2CFFE8D4 Feb 24 06:19 1
237A595826940D90EECA06C715A68B68 Feb 24 06:15 1
Flat Earth Superstars - NASA's Clowns for Kids! ✞ Feb 24 05:54 1
mystery messages Feb 23 22:45 2
3DD7565334ADB19D38190641B2477828 Feb 23 22:41 1
F58E31B8D87F4724AD27A73B1B9656FF Feb 23 21:27 1
DE8975959349247D953791775BF63E45 Feb 23 21:24 1
D6CE15AB34FE08559D25529F7B657480 Feb 23 21:22 1
BCE7C29CAA0CBFBDE58976534D9A9323 Feb 23 20:59 1
ḎѦℝḲИ∃† Ḏℐℜ∃☾†☮ℛẎ Å$ϟℐ$†Åℕℭ∃ Feb 23 20:11 1
teste Feb 23 20:00 3
6D9B9149AAF3D12878E6A4839CEECF14 Feb 23 19:36 1
fsdfdfs Feb 23 19:10 1
CAFBBB9E47C55E5A49C46D22C83027AA Feb 23 18:39 1
Nationalism Feb 23 18:35 10
63C146B78BEEBD4B6365077409F429F3 Feb 23 18:17 1
C0D5A4671987F245F89051AD992587EB Feb 23 18:00 1
879519BB0DCC7C65CF8425313A18F6A6 Feb 23 17:58 1
do hackers use bitmessage? Feb 23 16:49 4
8A9B4EC9739FA57AD2ECF47E2DA8FDA7 Feb 23 15:27 1
3E9379F05569B094FAD610B95826C5D0 Feb 23 14:52 1
Holocaust Facts Feb 23 14:26 1
FD1299B9284A72AB6B7797DC265C3783 Feb 23 13:02 1
760AD0E86D2173E14839338B9448BA4D Feb 23 12:59 1