
Escalation of Privilege Advisory - ctoth
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
======
kop316
Seeing this reminded me of something that happened a few weeks ago. I went to
a conference where someone very high up in Intel came out to give a
presentation what they were doing for security. A few things stuck out to me:

\- They said they work very hard to work with Linux to make sure their stuff
is compatible.

\- The person also specifically called out that they work with BIOS vendors
(and called out Coreboot by name, implying they work with them)

\- They added that they intend to make sure all of the features are on every
chip, and it included the Intel ME.

When the talk was over, the first question someone asked was: "Is there any
backdoor on your chips?" After a bit of laughter, the presenter said of course
there was not and (understandably) got offended by the question. I
specifically asked why they don't allow people to completely disable the Intel
ME, and I did not get a concrete answer.

Seeing the _remotely_ exploitable Intel firmware vulnerability makes me not
think that question was so funny. I really hope Intel is held responsible for
this.

~~~
marcosdumay
> They added that they intend to make sure all of the features are on every
> chip

Interesting that useful stuff like ECC RAM isn't treated like that.

~~~
derefr
ECC RAM is a bit of a hard case in that the memory controller needs a slightly
different wire protocol for ECC vs. non-ECC DIMMs. "Back in the old days",
this was one of the justifications for having a northbridge separate from the
CPU. Now, in the name of efficiency, it's all on-chip, making ECC a processor
feature rather than a motherboard feature.

That being said, it'd certainly be possible to fix this: just ask RAM
manufacturers to make their non-ECC memory have the same pin out as ECC
memory, with the ECC pins just stubbed to always report that everything is
okay. Then all processors could just include the ECC version of the memory
controller.

~~~
rphlx
While not exactly what you were suggesting, DDR4 ECC DIMMs and SO-DIMMS are
already "pin compatible" with non-ECC modules. So it is straightforward to
design a CPU and motherboard that support both, with a control bit in the IMC
allowing the BIOS to enable/disable ECC checking (and the extra ECC byte
lanes) iff ECC modules are installed (and that's what AMD did with Ryzen).

It is fair to say that Intel blocks ECC on its desktop i7 parts for non-
technical/business reasons (i.e. so they can sell a higher-profit E3 Xeon if
you want DRAM data integrity beyond what non-ECC memory can provide).

~~~
yuhong
Interestingly, this is not true for DDR3 ECC SO-DIMMs. BTW, even AMD Bristol
Ridge supports ECC I believe.

------
scarybeast
Wow. A _remotely_ exploitable Intel firmware vulnerability? You don't see one
of those every day. My instinctive reaction is that this is ridiculously
serious, although I'd need to see the full technical details.

It's worth noting that the reference to "system privileges" being attained
likely refers to something much more privileged than we would normally ascribe
to "system privileges". Normally, "system privileges" would mean something
SYSTEM on Windows or root on Linux. In the event of "system privileges" in the
management component, remember that the main CPU is a slave to this thing.

~~~
AsyncAwait
Something Richard Stallman, among others, was sounding alarm bells for years.

~~~
MohammadLee
And yet here we are, unable to properly deactivate "features" such as Intel
ME.

~~~
MichaelGG
... Here we are, with an exploit that only affects people that enabled a
remote management feature. If Intel had made this an optional addon that
required a physical switch to enable, approximately the same number of people
would be affected today, since it requires provisioning. It's not like every
Intel system is silently waiting for an exploit payload.

~~~
jacquesm
Pretty much every large company running Intel hardware on professional
desktops will have AMT on. It's pretty much SOP unless you really like site
visits.

That's a lot of computers worldwide.

~~~
thraway2016
Is there any reason KVM/IP is not a viable solution for remote management?

Remote access to DMA capability is just batshit insanity.

~~~
jacquesm
This works even absent an OS. In fact, that's the whole idea.

~~~
microwavecamera
I read about this a while ago. Apparently Intel's Management Technology which
is built into like every Intel CPU now listens directly on the network
interface so it can still send/receive data in case the OS is borked. It hooks
in at ring 0. Like a rootkit the OS can't see.

~~~
djsumdog
It's not just Intel that does it. HP Storage solutions use iLO which is pretty
much the same thing for SANs.

~~~
jsmthrowaway
Not just SANs, pretty much their entire product line. iLO is a very common
IPMI deployment at companies with HPe gear, which is a number of very large
ones.

------
orblivion
It's beyond pathetic that we're scrambling for rumors on hacker news to figure
out if we're affected by this. Security news is in need of serious
consideration.

~~~
altharaz
Unfortunately, Security Advisories are formatted according to the Vendor wills
and needs.

Some vendors give you a lot a details, some are very obscure.

There is a need for a "standard" Security Advisory, on the same base that
there is a "standard" emerging from Responsible Disclosure.

~~~
noja
What about the CVE?

------
ChuckMcM
I had an interesting experience with the AMT technology fairly recently. I had
updated my desktop's windows partition from Win7 to Win10 when it was free to
do so, and then gone back to Linux. And because some tax information was in
Quickbooks I booted it into Windows mode and it was trying to update to the
latest Win10 and failing. I checked with Microsoft support and they had me
download a tool to allow them to fix it, which kept failing to work.
Eventually I tracked it down to the fact that I had previously disabled "Intel
Management Engine Interface" in my device manager (back when there was a lot
of discussion about it). Re-enabling it allowed their tool to loot through the
system and fix what ever bits had given the OS fits, and then once it was
running and current again, I disabled it again :-).

Based on the Intel documentation, my Surface Pro 4 is vulnerable (its a 7th
gen with 11.6.0.1042) but its also disabled and I'm not sure whether or not
that 'saves' me here (as the driver in the OS is disabled but it is unclear if
a local network attack would work or not).

~~~
microwavecamera
It says on the page "This vulnerability does not exist on Intel-based consumer
PCs." I'm not sure if that's true or not but Intel seems to think you'll be
ok.

EDIT: Ok so it seems all Intel CPUs that have AMT from Nehalem processors to
the current Kaby Lake's are vulnerable. Even if AMT isn't enabled, it's still
vulnerable to a local privilege escalation to ring 0. So all you people that
have Celeron or AMD CPUs and got picked on for years, enjoy your moment of
schadenfreude.

[https://semiaccurate.com/2017/05/01/remote-security-
exploit-...](https://semiaccurate.com/2017/05/01/remote-security-
exploit-2008-intel-platforms/)

~~~
kbenson
I have a feeling we'll all know soon enough the exact definition Intel uses
for "consumer PCs" and how it differs from the reality of what consumers end
up buying.

~~~
wtallis
They're probably referring to which chipset is on the motherboard. AMT is not
supposed to be enabled on Z series chipsets but is on Q series, for example.
But even on a Z chipset board, you still have Intel Management Engine (ME)
firmware.

------
tomc1985
This advisory should have been published years ago. HN thread from earlier
today:

[https://news.ycombinator.com/item?id=14237266](https://news.ycombinator.com/item?id=14237266)

~~~
Clownshoesms
To be fair, the original post is coming from an AdmiralAsshat.

What can anyone do? This corporate free-for-all seems like it's established
(de-facto) in the United States, and all countries must bow to the US because
of their military might.

We pollute, consume, lie, steal and cheat each other like it's normal
practice. Where did we go wrong.

~~~
mtrycz
> Where did we go wron?

Closed source. It's a choice.

To be fair, some (most?) of the advances wouldn't have been possible without
economic competition between manufactors, but closed source/closed
design/closed production is bound to produce result like these. So, i don't
know... Tradeoffs?

~~~
jacquesm
> It's a choice.

In this case it really isn't and that is a huge problem.

------
hackuser
I was just doing some research on Intel Management Engine (ME), the
independent subsystem on which AMT and other security applications run. Since
I have them at my fingertips, perhaps these will be of use:

* By far the best place to learn about ME and AMT that I found, though it's a few years old:

 _Platform Embedded Security Technology Revealed: Safeguarding the Future of
Computing with Intel Embedded Security and Management Engine_ by Xiaoyu Ruan
(security researcher with the Platform Engineering Group at Intel). Apress
(2014)

* _Intel x86 considered harmful_ by Joanna Rutkowska, founder of Qubes (2015)

[http://invisiblethings.org/papers/2015/x86_harmful.pdf](http://invisiblethings.org/papers/2015/x86_harmful.pdf)

* _How to Become the Sole Owner of Your PC_ by Maxim Goryachy, Mark Ermolov, Positive Technologies [haven't read this one in awhile]

[https://github.com/ptresearch/me-
disablement/blob/master/How...](https://github.com/ptresearch/me-
disablement/blob/master/How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf)

* _How Purism avoids Intel’s Active Management Technology_ by Purism

[https://puri.sm/learn/avoiding-intel-amt/](https://puri.sm/learn/avoiding-
intel-amt/)

~~~
rphlx
> Safeguarding the Future of Computing with Intel ... ME

heh, the Ministry of Truth would be proud of that title.

------
Sunset
This is just what you would expect would eventually happen with AMT. Frankly
it should be possible to physically disconnect a jumper on the motherboard
that completely PHYSICALLY disables things like AMT.

~~~
MichaelGG
And this exploit would have the same impact: you have to set up this feature
in order to be affected.

~~~
rbanffy
Except in large companies it's almost always enabled...

~~~
palunon
But then these companies wouldn't use the hardware disable, would they ?

~~~
Sunset
I would. And then I'll play dump when the sysadmin asks why my machine isn't
in the list.

~~~
adrianN
Then the sysadmin enables it and if you disable it again they fire you.

------
lorenzhs
Thankfully this doesn't look quite as serious as the SemiAccurate article
earlier today made it look (it's AMT, not ME), and doesn't affect consumer
CPUs. But if you have AMT provisioned, then holy cow this is really really
bad. Remotely exploitable is just wow.

~~~
jacquesm
It's bad enough. And SemiAccurate did live up to its name.

~~~
nobodyorother
Interestingly, they got the versions right, if not the feature (AMT vs ME).

------
mastax
This seems to corroborate what SemiAccurate published earlier:
[https://semiaccurate.com/2017/05/01/remote-security-
exploit-...](https://semiaccurate.com/2017/05/01/remote-security-
exploit-2008-intel-platforms/)

Crazy. A lot of the HN discussion was incredulous based on SA's reputation.
[https://news.ycombinator.com/item?id=14237266](https://news.ycombinator.com/item?id=14237266)

~~~
colemannugent
I was really hoping that time would prove them wrong, but on the other hand,
it was only a matter of time until a vuln like this was discovered.

~~~
nickpsecurity
Fiora Aeterna posted this about SemiAccurate on Lobsters with a hilarious part
about the effect of triangles on SIMD used in graphics pipelines.

"Semiaccurate is well-known for posting speculation as fact, but worse, they
often have major misunderstandings of the material they report on, leading to
errors, incorrect deductions, wild speculation, etc. My favorite example (a
real quote, not satire):

'You probably don’t remember but the Midgard architecture you know and love is
a four wide architecture four stages deep. Each cycle one thread, aka a
triangle or quad, is issued to the execution units. Since they are four wide
they can take a full quad a cycle which is a really good thing. Unfortunately
most game developers seem stuck on triangles which tend to use only three of
the SIMD vector lanes. This is bad but modern power gating means it won’t
consume hideous amounts of power, it just doesn’t utilize the hardware to its
maximum potential often. The technical term for this is inefficiency.'"

~~~
theossuary
Waaat? I read that quote a few times, and I still can't tell what it's trying
to say. Is it saying triangles as the basic building block of 3d objects is
used as a way to power gate certain cpus that supposedly have better support
for squares because they're "four wide"? If so, then yes I agree who ever
wrote that has no understanding of what they're talking about.

~~~
nickpsecurity
The "too reliant on triangles" is the first hint. As if the game and GPU
industry are full of idiots that don't know the fundamentals of their field.
Then, a triangle utilizes three lanes of SIMD. What, because it has three
sides it uses three instructions? Or is it the GPU drawing those things? And
lets see what StackOverflow might tell us if we were the authors researching
quads superiority to triangles for gaming:

[https://gamedev.stackexchange.com/questions/66312/quads-
vs-t...](https://gamedev.stackexchange.com/questions/66312/quads-vs-triangles)

------
ohrer
If AMT is enabled it would be listening on ports 16992 and 16933 (TLS). I ran
lspci | grep MEI on my machine (an i3-2100, not vPRO as far as I know, running
Linux Ubuntu 16.04) and got:

00:16.0 Communication controller: Intel Corporation 6 Series/C200 Series
Chipset Family MEI Controller #1 (rev 04)

Then ran nmap -p- and the ports didn't show up, and can't access them, so AMT
is disabled. You can read more on how enable or disable AMT and how to access
it here:

[http://manpages.ubuntu.com/manpages/zesty/man7/amt-
howto.7.h...](http://manpages.ubuntu.com/manpages/zesty/man7/amt-howto.7.html)

~~~
ajdlinux
From what i've seen elsewhere - make sure to run nmap on a different machine,
because running nmap locally isn't going to go via the NIC.

~~~
ohrer
I ran nmap and tried to access the ports from my laptop.

------
microwavecamera
My favorite part is the huge disclaimer at the bottom:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL®
PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE
THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS
OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL
DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF
INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO _FITNESS FOR A
PARTICULAR PURPOSE_

Intel: "Hey everyone it's your BFFs at Intel. There's this uber critical bug
in our enterprise hardware that will murder you right in the face and you
should totally update your firmware right away or face certain doom even
though we won't tell you exactly how it works or why it's so critical. Trust
us, you totes need to do this asap but if it borks your servers ¯\\_(ツ)_/¯.
kthnxbye"

~~~
kogepathic
_> even though we won't tell you exactly how it works or why it's so critical_

This is their entire argument for the ME. Seriously, try to find deeply
technical information on the ME. You can't. It's not public.

The best you can find are some books about the ME, written by former Intel
engineers, who are still shockingly vague about what it actually does. Most
"technical" books on the ME just repeat the Intel marketing drivel with
marginally more (although still completely useless) technical detail. [0]

I've read some books on the ME because I wanted to understand better what it
did. All I got was it has some magic sauce for content owners who want to DRM
the heck out of their content, and it can emulate a TPM for OEMs who are too
cheap to spring for a hardware TPM (although I've never actually seen this
done).

[0]
[http://www.apress.com/us/book/9781430265719](http://www.apress.com/us/book/9781430265719)

------
merpnderp
Looks like Apple machines are safe.

"Are Apple Macs impacted by this at all?"

"No. Apple hardware has an ME, but Apple don't ship the AMT firmware for it."

[https://mjg59.dreamwidth.org/48429.html](https://mjg59.dreamwidth.org/48429.html)

------
bjt2n3904
The tools they listed are windows executables.

Am I vulnerable to this on a Linux System? If so, any way to assess
vulnerability, and patch things?

~~~
biktor_gj
Yes. This affects the management engine, an independent firmware that runs in
your system wether it runs linux, windows BSD. It is still running even if
your computer is off (in fact, one of its capabilities is to turn it on
remotely).

Edit to add: independent of what Intel might say about this (given it seems it
has taken 5 years to disclose this and 5 major firmware versions I won't trust
too much what they say about consumer pcs not being affected). Check if your
cpu and motherboard support AMT and if it is enabled. All workstations I've
worked with have it, but there are a lot of machines that have it disabled by
default unless you specifically turn it on. So, you might be affected if you
have a "supported" processor and (I guess) an Intel NIC onboard and wired, and
remote capabilities enabled.

~~~
wiredfool
I'm mostly interested in if servers with ipmi (supermicro in particular) are
vulnerable, and to what degree. If it's the network with the ipmi ports,
that's one thing, but if it's public facing...

Much stuff is going to be hitting fans.

~~~
ams6110
Your IPMI should be on a private management network, at least. If you haven't
done that, I hope you at least changed the default password.

~~~
wiredfool
Yeah, that's pretty easy on this generation. But there was a previous
generation where the IPMI piggybacked on one of the main NICs, where it was a
lot easier to accidentally expose that to unfriendly traffic.

------
YCode
Is it just me or is there almost no information in this advisory besides
telling people to update their firmware?

I don't know what this vulnerability is or how it is exploited and I barely
know what systems of mine might be affected by it.

~~~
jacquesm
Yes, which makes it really annoying because the one thing you want to know is
how you can see if this has already been exploited which is the difference
between a system wipe and just a firmware upgrade.

~~~
chopin
I would truest the message "has been exploited" but not the message "has not
been exploited". Who could state the latter with any sincerity? Intel could do
state this only with confidence if they'd monitor every of their systems sold,
which I sincerely hope is not the case. If you have vulnerable, critical
systems you need to consider them being exploited. The bug was there for years
and for all what we know at least state actors have been going to great
lengths to exploit vulnerabilities they could get hold of.

~~~
jacquesm
That's correct. You can't prove a negative, so this is always true in the
context of a potential breach.

------
wyager
Are Apple computers with Intel CPUs vulnerable?

It seems like everyone in the security community saw this coming. I hope this
serves as enough of a warning to, at the very least, get Intel to stop putting
spyware in all their CPUs. Ideally, this helps push large hardware
manufacturers away from proprietary CPU manufacturers entirely. Open source
hardware collaborations could (and should) do to Intel what open source OSs
did to Microsoft. Doesn't mean that Intel will go away, but their presence
should absolutely be reduced.

~~~
chillydawg
The spyware is there due to customer demand. All the biggest customers of
Intel buy in vast quantity and need these features for their fleet management.
It ain't going nowhere.

~~~
pmontra
I understand what those customers need AMT for but the end result is that
somebody else could be managing their fleets too and this is not something
they want.

I expect to see some lock down in the next years.

------
Jach
> "This vulnerability does not exist on Intel-based consumer PCs."

How does Intel define an Intel-based consumer PC?

~~~
wmf
vPro is Intel's marketing term for a bundle of stuff including AMT, so
"business" PCs have a vPro sticker and "consumer" PCs don't. It may be hard to
tell if you already peeled the sticker off, though.

~~~
jdmichal
For those who know your CPU model(s), ARK gives you this information under
"Advanced Technologies", label "Intel® vPro™ Technology".

In Windows, you can see your CPU model under "System", label "Processor".
(Shortcut key "Windows-Pause".)

[http://ark.intel.com/](http://ark.intel.com/)

~~~
orblivion
For Mac, I did this. Please anybody out there, confirm whether this is a legit
approach. From a console I put:

    
    
        sysctl -a | grep -i intel
    

There should be a bunch of noise, but in there was a rather specific model
number (not just "core i7"). I googled for that and found a page on ARK. Look
for "vpro" and it should say whether you have it. (I didn't)

~~~
rosser
I can't confirm whether your approach is legit (though vPro does seem to be
relevant), but I find my work machine (2015 15" rMBP) has it, and my personal
(2013 13" rMBP) doesn't.

Specifically, the string you want to `grep` for is
"machdep\\.cpu\\.brand_string".

~~~
PhantomGremlin
Or you can save yourself the trouble of grepping and just type:

    
    
       sysctl machdep.cpu.brand_string

------
mooneater
Can someone confirm, is it possible to tell via inspecting /proc/cpuinfo or
similar, if my system may be affected?

~~~
jacquesm
BIOS settings, check if AMT is enabled. That may not be the whole story
though, Intel is really not very helpful with the text of this announcement.

------
0x0
Where do I find this "Windows Device Manager" in Debian 8?

------
walterbell
From
[http://mjg59.dreamwidth.org/48429.html](http://mjg59.dreamwidth.org/48429.html)

 _> What do we not know?_

We have zero information about the vulnerability, other than that it allows
unauthenticated access to AMT. One big thing that's not clear at the moment is
whether this affects all AMT setups, setups that are in Small Business Mode,
or setups that are in Enterprise Mode. If the latter, the impact on individual
end-users will be basically zero - Enterprise Mode involves a bunch of effort
to configure and nobody's doing that for their home systems. If it affects all
systems, or just systems in Small Business Mode, things are likely to be
worse.

 _> What should I do?_

Make sure AMT is disabled. If it's your own computer, you should then have
nothing else to worry about. If you're a Windows admin with untrusted users,
you should also disable or uninstall LSM by following these instructions.

~~~
jacquesm
And that's a good part of the reasons I'm categorically against any 'rider'
computers next to the one that I control. It's hard enough to keep a regular
system secure, if you have to factor in ghost computers that are effectively
running with a privilege level above your local root then the situation
becomes untenable. Intel really should allow for a simple way to turn off all
this bull-shit without any way for it to be remotely re-enabled. And without
any crippling effects on clock frequency or power management or networking.

Otherwise we don't really own our computers.

------
pmontra
Many people wrote that ME was a potential vulnerability and backdoor along the
years. Russia and China have been designing some CPUs for a while even if they
are not at the same level of Intel and AMD yet. I remember Russia's Baikal
(MIPS and ARM), China's Longsoon (MIPS family) and some ARM chips. I wonder if
they planned those chips with national security considerations in mind.

The current trend of blocking some Internet services with country level
firewalls could be another way to protect from remote attacks. At least spies
should spy from within the country as in the old times. They could see the
other effects as bonuses (political control, protection of local companies)
and being large countries thay maybe don't care much about the consequences of
a slowed down information flow.

------
lossolo
If you are on linux:

 _Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor
also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a
communication controller with "MEI" in the description, AMT isn't running and
you're safe. If it does show an MEI controller, that still doesn't mean you're
vulnerable - AMT may still not be provisioned. If you reboot you should see a
brief firmware splash mentioning the ME. Hitting ctrl+p at this point should
get you into a menu which should let you disable AMT._[1]

1\.
[https://mjg59.dreamwidth.org/48429.html](https://mjg59.dreamwidth.org/48429.html)

------
nthcolumn
Luckily my old rack is too old to have ME. But are there alternatives out
there when these old power-edge warriors finally die or do I have to start
building a beowolf out of raspberry pis?

~~~
milcron
There is OpenPOWER, or ARM. Unfortunately all new Intel chips have the
Management Engine, and all new AMD chips have the equivalent Platform Security
Processor.

~~~
mikehollinger
If you want to inspect the OpenPOWER firmware[1] or OpenBMC[2] - check out
github for either project.

[1] [https://github.com/open-
power/docs/blob/master/README.md](https://github.com/open-
power/docs/blob/master/README.md)

[2]
[https://github.com/openbmc/openbmc/wiki](https://github.com/openbmc/openbmc/wiki)

------
berberous
If I have a personal computer at home (not managed by an IT department), is it
at risk, or does Intel ME need to be enabled somehow?

What was Intel ME trying to solve that couldn't be done without it?

~~~
hackuser
> What was Intel ME trying to solve that couldn't be done without it?

ME is an independent platform that runs parallel with the main CPU. ME has
it's own CPU, memory, bus, etc. The general purpose is to provide an isolated
subsystem on which to run security and management applications.

AMT's out-of-band remote access allows support to access the computer when the
OS isn't or can't be loaded.

From the IT and security perspectives, these features are very valuable.

EDIT: If you want more info:

[https://news.ycombinator.com/item?id=14242213](https://news.ycombinator.com/item?id=14242213)

------
1001101
You have to wonder, is this the only/last one of its kind?

~~~
jacquesm
I'd very much not bet on this being the only or the last bug. See it more as a
confirmation that this system is not as secure as they thought it was and that
will cause a lot of people to now be encouraged to look at it closer.

~~~
hackuser
> confirmation that this system is not as secure as they thought it was

I wonder if that's true. Intel has many smart security professionals working
for it, and probably they expected there would be exploits; they exist on
every system. I'm reading a book about Intel Management Engine (the
independent subsystem on which includes AMT runs) by an Intel engineer[0], and
they are clear that their model mitigates risk but nowhere do they say that
it's invulnerable. In fact, they include responses to exploits in their
discussion of their security process.

It's as secure as I thought it was; of course there are some vulnerabilities.
The real issue to me is how effectively they mitigate it.

[0] Highly recommended to learn about ME and AMT: _Platform Embedded Security
Technology Revealed: Safeguarding the Future of Computing with Intel Embedded
Security and Management Engine_ by Xiaoyu Ruan, published by Apress (2014)

~~~
jacquesm
Systems like this ought to really be bullet-proof. You can do all you want to
secure the other layers (the ones that you have regular access to), this one
bypasses _all_ of that and gives an attacker the equivalent of physical access
to the hardware. To me that's a level above the kind of flaw that can be
attributed to faulty system administration, operating system or application
bugs.

It's essentially a monkey riding along on your shoulder that suddenly turns
out to be malicious.

To me these systems are accidents waiting to happen. And this won't be the
last bug either, you can bet that AMT and ME will receive a lot more hostile
attention than they got so far in the next coming months.

~~~
nickpsecurity
Some of their competition have gone through the trouble to create or buy high-
assurance security for such purposes optionally with the code written in
languages like SPARK provably immune to errors hackers go after w/out
runtimes. This approach goes back to the 70's-80's with modern tools super
easy and cost-effective. I mean, a handful of people at ETH made the Muen
separation kernel with a similar handful doing a high-assurance VPN at Navy
Research Laboratory. There's companies that would do it for them with whatever
mix of robust or complex they want.

They just don't give a shit. Like you said, systems like this ought to be
bulletproof. I'll add it's especially true when they're in most of the
products of a company making hundreds of millions to billions off them. Even
small-to-midsized firms are doing medium to high assurance designs. I'm sure
Intel could afford it. ;)

~~~
hackuser
Do their customers want high-assurance? As I posted elsewhere, corporate IT is
sophisticated enough to know the risks, and they chose to enable AMT widely.
Does the level of demand make it profitable enough to justify doing?
Personally I would pay a good amount for high-assurance systems - or even
subsystems, as in this case - but my budget isn't unlimited. More than a small
cost would be hard to sell to management, which as we all know often budgets
little attention to security, much less money.

OTOH, there is a good argument that vendors know the risks much better than
their customers can, and that they have a responsibility to protect their
customers from dangerous options. But even that depends on the cost;
everything can be made safer for greater expense. I wonder if this qualifies.

~~~
nickpsecurity
"Do their customers want high-assurance?"

Their customers prefer highly-privileged code not get hacked vs get hacked.
Intel knows their dominant position with lockin to x86 code lets them ignore
customers' preferences if they deliver something useful. It's an oligopoly
effect.

It's actually AMD I normally suggest should compete on flexibility or
security. They need the money more. ;)

~~~
hackuser
> Their customers prefer ...

Sure they prefer it. I prefer a soup-to-nuts high-assurance personal laptop,
or a private 747, but I'm not willing to pay for them. I know my laptop can be
exploited. My point is that it's an economic question, not one of technical
specifications.

> Intel knows their dominant position with lockin to x86 code lets them ignore
> customers' preferences if they deliver something useful. It's an oligopoly
> effect.

To a degree. Customer could use their TPMs for many of the same functions as
ME, or get third party devices for out-of-band remote control like AMT. Intel
just needs to make it good enough, but that's the 'intentional', so to speak,
design of marketplaces.

I would love it if AMD took the opportunity, and security became a competitive
arms race between them.

~~~
nickpsecurity
It is economic issue. Unfortunately, the incentives work against it on supply
side since they maximize profit even to detriment of users. The oligopolies
universally supply garbage that suits them. If it's quality or security,
customers often just get used to the problems. That lowers demand side.
Differentiating firms can show up but will be niche unless latching onto
something big. I thought about Java, C#, or Go CPU's at one poing for
application servers. Different front end with safety/security checks on top of
high-performance design probably. Can't be sure on economics of it, though.

------
tyingq
Intel list of vendor makes and models with vPro. Includes even some laptops.
And, guess what? Retail POS systems. Ouch.

[https://msp.intel.com/find-a-vpro-system](https://msp.intel.com/find-a-vpro-
system) (sha1 cert, so chrome may complain)

Edit: also apparently expired cert, but in this case, interesting info there
that I didn't see elsewhere, so...

~~~
Clownshoesms
Retail POS could be bad news, but it got me to thinking of all the other
possibilities too. Could be disastrous, and I wonder who would wear the egg on
the face, Intel or the NSA :) Or no-one is my guess, too big to fail!

------
tomc1985
Can the remote exploitation aspects of this advisory affect systems behind
NAT?

~~~
dom0
NAT is not a firewall. It's not intended to protect, and usually it doesn't.
There are many ways to circumvent it...

~~~
jacquesm
That's true, but for all intents and purposes NAT _is_ a poor-mans firewall.
Many people don't know any better or that's what keeps them safe, they
wouldn't know the difference between multiplexing a bunch of machines behind a
single IP using port forwarding and firewalling because if a port isn't
forwarded it _appears_ as if it is firewalled.

That's a legacy bit that a lot of people will have a hard time adjusting to
when IPV6 becomes more mainstream. Basically every piece of gear in your house
can have a routable IP under that scheme and then suddenly your edge router
configuration becomes a lot more important.

~~~
5ilv3r
Right but the default ruleset allows incoming packets for established
connections, meaning your PC can still contact a remote host with malicious
intent and be exploited.

~~~
jacquesm
Yes, that's true, a reverse is always possible in a NAT'd situation. UPNP also
doesn't help.

------
cantrevealname
We need a service to monitor all the published security & privacy issues that
vendors like Microsoft, Intel, and Apple don't consider to be bugs, and then
offer some kind of automatic disable/fix/patch/uninstall tool.

I'd be willing to pay $50-100/year per system so I don't have to personally
dig into every security and privacy mitigation.

Specifically, the tool or service should:

\- Check for known vulnerabilities just like Management Engine described in
the article, and disable it or patch it (if a patch is available).

\- Uninstall or disable all tracking, reporting, spyware features (esp. in
Windows 8 and 10 for example).

\- Disable all unnecessary services to harden the OS. Yes, I realize that this
has the potential to break things, so it has to be done intelligently.

\- Etc.

I would have thought that anti-virus software would have been a perfect place
to build in such capability, but AV software has generally turned into garbage
unfortunately.

~~~
altharaz
Hey there, my company already solves the "known vulnerabilities" problem and
lets you either "accept" the vulnerability or patch it.

I'd love to get your feedback on our product and how you'd imagine an
integration with other features you described.

Can we DM on Twitter? (@maximeae)

------
d33rp0ints
AMT was enabled by default on my lenovo x220. I guess it's time to dive into
coreboot and me cleaner.

------
peterwwillis
Neutralizing ME:
[https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...](https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html)

------
jacquesm
So, who is taking bets here: Accident or Malice?

~~~
wyager
I'm guessing somewhere in between. Putting AMT on chips in the first place was
malicious. Even if this was unintentional, it's still intel's fault.

If an intentional backdoor is homicide, and a simple software mistake is
manslaughter, this is somewhere around negligent homicide.

~~~
MichaelGG
Ok, so you're Intel, and your business customers say they'd like to remotely
fix their workstations via IPKVM and other stuff so they don't need to
dispatch a tech each time someone wedges their laptop.

Someone suggests adding AMT to certain chips then charging to enable it. You
say that's evil. Why and what's your suggestion?

With the details released so far, this isn't remotely exploitable unless your
company set the feature up. And if Intel didn't provide this feature, you'd
get it from the OEM just like Dell's DRAC or HP iLO.

~~~
jacquesm
What is evil is not providing a hardware lockout to disable it if you don't
want that ME. AMT is only one application running on ME, there are others and
the whole thing _could_ be insecure. If you don't need it it is better not to
have it.

------
faragon
In my opinion all hypervisor-like hidden chips should be always documented,
and disabled by default, by law, except for closed appliances (e.g. a video
game console). That's crazy and very dangerous stuff.

~~~
eric_h
> except for closed appliances (e.g. a video game console)

My video game console literally has a camera pointed at my living room (PS4,
camera is for the VR headset).

Given Sony's less then perfect security record, I accepted this as an
unfortunate tradeoff for the ability to have VR.

I do not think they should be given any special leeway.

~~~
faragon
Most laptops, tablets, and smartphones do, too. At least, the PS4 camera is
optional :-)

------
hultner
Is there any PoC or similar to test if our own systems are vulnerable?

------
orblivion
/r/netsec pointed to what seems to be the mitigation guide. It has the same
"SA-00075":

[https://www.reddit.com/r/netsec/comments/68oy3q/pdf_intelsa0...](https://www.reddit.com/r/netsec/comments/68oy3q/pdf_intelsa00075_mitigation_guide/)

It talks about turning something off with a Windows executable. Was it
necessarily on to begin with? Anybody familiar with this product? I thought
this was a sub-OS level thing.

~~~
zie
one most of our windows machines it's on. You can run this: netstat -na |
findstr "\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>"

to see if it's actively running. the binary is LSM.exe. Intel recommends you
erase the file. see the PDF for details.

Apparently this will make it locally exploitable only now and A firmware fix
is required to completely fix the problem.

------
zie
on windows you can run this: netstat -na | findstr "\<16993\> \<16992\>
\<16994\> \<16995\> \<623\> \<664\>"

to see if you have LMS running, which apparently is required to remotely
exploit it. PDF with details here:
[https://downloadmirror.intel.com/26754/eng/INTEL-
SA-00075%20...](https://downloadmirror.intel.com/26754/eng/INTEL-
SA-00075%20Mitigation%20Guide%20-%20Rev%201.1.pdf)

------
tmsldd
We're waiting for the manifestation of all manufacturers and cloud service
providers, which is equally important at this moment.

------
nisa
Nice. Just after proposing to using AMT for remotely controlling workstations
at university.

AMT 6.0 up to the current version? are affacted.

Here is a handy Wikipedia Table:
[https://en.wikipedia.org/wiki/Intel_AMT_versions](https://en.wikipedia.org/wiki/Intel_AMT_versions)

Core2 seems to be not affected.

~~~
jacquesm
Better than after deploying a few hundred machines no?

~~~
nisa
We just use it for power fencing and serial console. So nothing fancy. However
after this exploit a seperative VLAN for AMT just got on the list :)

I don't mind AMT but I was an idiot to think it's something you can expose to
the Internet.

~~~
jacquesm
> However after this exploit a seperate VLAN for AMT just got on the list :)

It should have been that way anyway.

------
throwaway2048
Its important to note, that Intel has a VERY strong incentive to downplay the
seriousness of this problem. Other sources have indicated that its possible on
any post 2008 Intel system, its just not possible remotely.

Since we don't know the exact nature of this exploit, things are extremely
dangerous for ALL Intel systems right now.

~~~
wyldfire
Seems like it could be a risk to the GCP/AWSs of the world.

~~~
wmf
AFAIK Xeons don't have AMT/ISM/SBT and thus aren't affected.

Servers may be affected by the absolute shit firmware living in their Aspeed
BMCs, however.

~~~
pquerna
Many Xeon SKUs include the Management Engine, which at times has seemed to
share many of the features of AMT/SBT/etc, but its unclear on the exact attack
vector for this vulnerability.

Having said that, the ME is so opaque, the same type of vulnerability could
easily exist.

------
rxlim
For a system to be affected, both chipset and CPU have to support vPro. For
example, a PC with Core i7-7700 CPU and H270 chipset is not affected because
only the CPU has support for vPro, but a PC with Core i7-7700 CPU and Q270
chipset is affected because both CPU and chipset have support for vPro.

~~~
jacquesm
And as far as I can see you'd still have to have AMT enabled in your BIOS.

~~~
rxlim
At least for it to be exploited remotely. It can still be exploited locally.

------
ams6110
What is the network traffic for this management stuff? TCP? UDP? What ports? I
presume just blocking it at the switch or router would be an approach to
mitigation?

EDIT: from the PDF posted in another thread, looks like the Intel ME ports are
16992, 16993, 16994, 16995, 623, and 664.

------
teoruiz
Is there any indication the vulnerability is present on Intel-based Macs?

~~~
wmf
It's not present because Macs don't have AMT.

~~~
ryanlol
There's been a plenty of Macs with vPRO CPUs. Unless Apple is getting custom
CPUs or CPU firmware then it would seem that Macs do have AMT. No?

Enabling it is tremendously difficult though AFAIK.

~~~
tptacek
It has to have the ME silicon _and_ the AMT enabled firmware. According to
Matthew Garrett, who I'd generally trust on this stuff, Apple hasn't ever
shipped AMT-enabled firmware.

~~~
wtallis
It's nice to see that for once it's a good thing that Apple hardly ever ships
standard firmware and instead usually leaves out all the components and
features they don't plan to use.

------
dhx
Is there any chance this could be exploitable from within a guest virtual
machine, or does Intel's architecture only allow a hypervisor to communicate
with the firmware?

~~~
jacquesm
If it is remotely exploitable that means that if you're on the network you can
do damage. So if that guest virtual machine has access to the same LAN or VLAN
that your ME sits on then you might be in trouble.

That's the whole problem here, this is an issue that allows a remote attack,
not just a local one.

~~~
pritambaral
Even so, it also allows a local attack. One that cannot be fixed without a
firmware upgrade (now hope/pray/beg your OEM to release one).

Yes, remote exploitability sucks hard, but that's not the "whole problem";
there's a bigger problem that just remote exploitability.

------
nthcolumn
Anyone expecting another shadowbrokers reveal soon...?

------
rkwasny
Stallman was right.

~~~
jacquesm
Did you doubt? If anything Stallman has been right far more often than he was
wrong about such things.

------
Glyptodon
They really don't make it easy to parse this. Wish they just had a list of
models/skus.

~~~
hackuser
I would guess you saw this, but just in case:

 _Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM
capable
system:[https://communities.intel.com/docs/DOC-5693](https://communities.intel.com/docs/DOC-5693).
If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM
capable system then no further action is required.

Step 2: Utilize the Detection Guide to assess if your system has the impacted
firmware:
[https://downloadcenter.intel.com/download/26755](https://downloadcenter.intel.com/download/26755).
If you do have a version in the “Resolved Firmware” column no further action
is required to secure your system from this vulnerability._

~~~
eikenberry
Step 2 is pretty useless if you don't use Windows.

------
hoodoof
Do I need to be concerned about my Mac or my Lenovo Windows laptop?

~~~
jacquesm
That depends:

\- do you have a VPro enabled mac (probably not) or laptop (could be)?

\- if so are you running AMT (check bios!)?

\- if so is it running one of the affected versions?

\- and even if not check if the machine is running LMS and if it does disable
that.

------
gravypod
Who's ready for cheap hardware sales?

~~~
tyingq
Or lucrative short term contract work.

~~~
gravypod
Very good idea.

------
rbanffy
Isn't security by obscurity awesome?

------
tokumei_74
i7 4510U affected?

------
Will_Parker
A remote attacker can use a backdoor to gain control of any PC? This is great
news for malicious AI!

~~~
mtrycz
That's a great idea for training an AI for, and someone totally has already
done it. I'm training myself to (be able to) live off the grid when time
comes.

