
Intel patches new ME vulnerabilities - nh2
http://blog.ptsecurity.com/2018/07/intel-patches-new-me-vulnerabilities.html
======
std_throwaway
I don't want a patch. I don't use that thing for anything. I want them to
disable that thing by default!

Leaving those backdoors open in older products should lead to a recall because
the flaw was there all along.

~~~
blitmap
As I understand it, ME is used to remotely control the processor like in a
datacenter. If a datacenter is buying hundreds of thousands of these it makes
sense to have it on by default so their people don't have to go in and turn
anything on. As much as I recognize it as a vulnerability (to the extreme), it
doesn't make sense to have it off by default. They should certainly support a
way to _permanently_ disable it. I wish there were easy tools to verify ME is
"not accessible" since I don't work in a datacenter and I wouldn't know how to
test that it's off.

Things that come with great benefit to risk for abuse:

\- Intel ME

\- Computrace

\- Device Guard

~~~
emsy
Their motivations are irrelevant. Consumers aren't datacenters.

~~~
JumpCrisscross
> _Consumers aren 't datacenters_

Consumers have also shown zero intention of paying more for secure devices.
Until we have a public ME hack with real consequences, I do not expect that to
change.

~~~
emsy
The funny thing is that making the processor more secure would require _less
work_ by not implementing a ME.

------
nh2
Intel advisory: [https://www.intel.com/content/www/us/en/security-
center/advi...](https://www.intel.com/content/www/us/en/security-
center/advisory/intel-sa-00112.html)

CVE-2018-3628 - "Buffer overflow in HTTP handler"

Affected processor list (simplified reordered by me to reflect relevance and
improve readability):

• Core i3/i5/i7, generation 1-8 (that is, all of them)

• Xeon E3-1200 v5/v6

• Xeon Scalable

• Xeon W

• Core 2 Duo vPro, Centrino 2 vPro

~~~
Macha
Also worth noting that they're not patching it for 1st, 2nd or 3rd generation
Core CPUs. I'm sure there's plenty of Sandy Bridge/Ivy Bridge CPUs in the
wild, and it's not like you have an option to discontinue use of the Intel ME
:(

~~~
NullPrefix
No real advancement after Sandy Bridge was made. Only incremental 10% with
each gen. That means current gen is only 2x as fast when comparing the same
lines (i7 to i7). If you can't make new things better, just gimp the old ones,
like Spectre/Meltdown.

~~~
watersb
My Ivy Bridge laptop uses twice the power as my Apollo Lake laptop.

Literally 2x.

~~~
NullPrefix
Apollo is Atom, isn't it? So it's not apples to apples. I'm pretty sure there
were sub 10W SoC for some years before Ivy bridge.

~~~
watersb
Yes, Apollo Lake is an Atom SoC. While I am doing simple web development,
performance is about the same. Mostly lacking RAM versus older, Core
platforms.

But all-up, Windows 10 at 6 Watts. Including the display, storage, the whole
system — or so the performance counters on the battery tell me.

------
confounded
Just a note that if you want to avoid Intel's disastrous Management Engine,
there are companies you can support that disable it.

Purism[0] sell nice MBP-style, Debian-based laptops with modern Intel
processors with the NSA's 'High Assurance Platform' bit set, and as much of
the ME code removed as possible. It still runs briefly at boot, but this is
the most-disabled you can currently get on any i3/i5/i7 processor[1].

[0]: [https://puri.sm/](https://puri.sm/)

[1]: [https://puri.sm/posts/deep-dive-into-intel-me-
disablement/](https://puri.sm/posts/deep-dive-into-intel-me-disablement/)

System76 are planning to do something similar[2].

[2]: [http://blog.system76.com/post/168050597573/system76-me-
firmw...](http://blog.system76.com/post/168050597573/system76-me-firmware-
updates-plan)

The last Intel processors where the ME could be _removed entirely_ without
bricking, were the non-AMT Core Duos (2008ish), which were used on the
Thinkpad T400 (good for your biceps) and the X200/X200T (thick, but compact,
even by today's standards).

Various companies (most prominently the Ministry of Freedom in the UK) sell
these models with the ME completely removed, and a completely Free Software
boot process via LibreBoot (a subset of coreboot). You can find a full list of
suppliers on the FSF's 'Respects Your Freedom' hardware page[3]. Most of them
will also remove the ME from a compatible laptop you send them, as a service.

[3]: [https://www.fsf.org/resources/hw/endorsement/respects-
your-f...](https://www.fsf.org/resources/hw/endorsement/respects-your-freedom)

These machines are also 'naturally' resistant to both Spectre and Meltdown,
and obviously have no ME to exploit. None of the Intel horror-shows of the
last few years seem to have touched them.

I previously thought that running an old-machine for largely hypothetical
freedoms was bizarre. After these CVEs, I'm beginning to re-examine how
bizarre it really is. And I do miss those old ThinkPad keyboards :)

~~~
yAnonymous
At that point you should just buy AMD, if only to not support a company like
Intel with such a bad security track record.

~~~
confounded
AMD has an ME equivalent, which is approximately as prevalent. It’s still a
DRM/DMCA-protected remote access CPU on your CPU. What could go wrong?

Buying Librebooted machines isn’t directly supporting Intel.

~~~
153791098c
But not on AMD machines from 2012 and before. You can buy a high-end
motherboard (KGPE-D16) that can run libreboot and 2 16core Opteron 62xx cpu's
with 192GB ram. You don't have to go the old and relatively slow thinkpad
route to achieve freedom.

~~~
confounded
Thank you for this information!

I’m interested in something like this (though maybe not as beefy) for self-
hosting.

Are there any companies that sell the gear you describe, or guides/wikis on
getting set up?

~~~
confounded
Answering my own question, suppliers of boards are available on the FSF's site
(these are the boards which the FSF use themselves):

[https://fsf.org/ryf](https://fsf.org/ryf)

~~~
153791098c
Yes that's a good starting point. And a great option if you have the money for
it. This will also support the people that put in hard work to achieve and
provide ultimate user freedom.

If you are on a tight budget however i recommend buying the motherboard on
aliexpress (for about $200) and if you are not comfortable in flashing
libreboot yourself you can ask a company that delivers bios chips for this
motherboard to flash a custom bios and supply the libreboot rom binary to
them. You can easily swap the bios chips yourself. The libreboot and coreboot
websites have lists of hardware that are compatible (ram/cpu).

Also if you are interested in newer liberated hardware, look into the Talos
II. They provide a proper workstation that comes with only free software. It
will be more difficult to setup since it has a different cpu architecture, but
it is definitely the way forward.

------
mrpippy
This feels like the Onion story “‘No Way To Prevent This,’ Says Only Nation
Where This Regularly Happens” that they post after every US mass shooting,
just with the picture changed.

Intel will be fixing ME vulnerabilities forever. It has a huge attack surface,
but too obscure to get serious resources from them.

------
dsabanin
Finally it happened. Here's to hoping that after being exposed to this kind of
risk, enterprises and regular customers start being more inquisitive about
what code gets embedded into their hardware and why.

~~~
nine_k
I heard Google spends a lot of money and effort to (slowly) move to Power9. It
does have a management processor but it's open for inspection and
modification.

Maybe other cloud providers, and/or private clouds, would consider that.

~~~
scruffyherder
Source on that? I'd love to use that as a prodding stick to shove all my
java/node stuff off of x86..

~~~
PeCaN
Google Confirms POWER9 Processor Data Center Deployment At OpenPOWER Summit
2018
[https://www.forbes.com/sites/patrickmoorhead/2018/03/19/head...](https://www.forbes.com/sites/patrickmoorhead/2018/03/19/headed-
into-its-fifth-year-openpower-has-momentum-into-the-power9-generation/)

IBM Begins Power9 Rollout with Backing from DOE, Google
[https://www.hpcwire.com/2017/12/06/ibm-begins-
power9-rollout...](https://www.hpcwire.com/2017/12/06/ibm-begins-
power9-rollout-backing-doe-google/)

Google's Data Centers Now Have IBM Inside
[https://www.fool.com/investing/2018/03/22/googles-data-
cente...](https://www.fool.com/investing/2018/03/22/googles-data-centers-now-
have-ibm-inside.aspx)

Introducing Zaius, Google and Rackspace’s open server running IBM POWER9
[https://cloudplatform.googleblog.com/2016/10/introducing-
Zai...](https://cloudplatform.googleblog.com/2016/10/introducing-Zaius-Google-
and-Rackspaces-open-server-running-IBM-POWER9.html)

They're also a platinum-level member of the OpenPOWER consortium (i.e. they
have a position on the board of directors).

~~~
scruffyherder
Thanks! Time to poke the bees!

What is crazy is that we sent people to Google about moving stuff to their
cloud offering, and when I asked about the Power9 thing nobody knew anything!

------
nine_k
As far as I could find out from Intel AMT docs [1], remotely accessible AMT
requires an AMT-enabled network adapter.

I suppose built-in adapters of Intel chipsets have this feature (at least if
marked as vPro).

This means that there's a quite decent chance that your not Intel-branded PCI-
Expess NIC is _NOT_ AMT-enabled. Most likely your USB-attached WiFi adapter is
also inaccessible to AMT.

This, if correct, means that your home machine, or your laptop, can be
protected from this or any future remotely-activated AMT vulnerabilities by
disabling the built-in NICs in BIOS, and using a third-party NIC, either for
wired or wireless communication.

(For a server fleet, it's different, but you likely _don 't_ want to lose AMT
remote access if you have a few racks full of servers anyway.)

[1]: [https://software.intel.com/en-us/articles/getting-started-
wi...](https://software.intel.com/en-us/articles/getting-started-with-intel-
active-management-technology-amt#_Toc451350766)

~~~
close04
Unless your machine is branded as vPro it most likely means that it simply
lacks the FW part to run AMT. So it will have the ME in the chipset, it might
as well have the correct CPU and NIC for vPro (usually the NICs with M for
management in the model name), but it's missing the firmware.

Outside of OEM machines the only time I managed to build a vPro enabled system
was in Haswell times when Intel had desktop motherboards with the correct
chipset and NIC combination, and the BIOS to run it. Right around that time
Intel exited the motherboard business and most manufacturers don't bother with
shipping the firmware anyway.

------
ganzuul
My CPU has an HTTP server? But why?

~~~
rhencke
Your CPU actually runs its own entire, separate operating system - MINIX.

[https://www.cs.vu.nl/~ast/intel/](https://www.cs.vu.nl/~ast/intel/)

~~~
bogomipz
Wow I have never seen this before. All the other incredulities aside I was
very surprised by this:

>"I got another clue when your engineers began asking me to make a number of
changes to MINIX, for example, making the memory footprint smaller and adding
#ifdefs around pieces of code so they could be statically disabled by setting
flags in the main configuration file."

Why would Intel ask Tannenbaum to make changes for them? Doesn't intel have
unlimited resources?

~~~
maccam94
Probably to lower their maintenance overhead by minimizing their divergence
from the upstream code.

------
thepumpkin1979
Can MacBook owners do something to disable or cripple Intel ME? Is Apple
disabling it for us? I can’t find Apple responses to these issues.

~~~
close04
As far as I know while the Management Engine is in all chipsets that accompany
Intel CPUs, Apple never shipped any AMT enabled firmware. This is the more
exposed component.

~~~
yborg
Apple is exposed to ME bugs.

[https://support.apple.com/en-us/HT208465](https://support.apple.com/en-
us/HT208465)

See the "EFI" section.

~~~
close04
The ME is most definitely there but AMT is not. And AMT is the one with far
more exposed security flaws that can be exploited over the network by virtue
of AMT's purpose. Like the ones detailed in the article here. Otherwise
without a shadow of doubt the ME is present in every Intel chipset since 2006.

Exploiting the ME is possible even without AMT but it definitely raises the
bar in the sophistication of the attack.

The _me_cleaner_ tool might do a good job in disabling the ME in most cases
but since it's doing it by removing components from the ME FW it probably
doesn't work with every OEM implementation.

------
ipsin
Has Intel offered an official "disable ME" patch? I'd like to close the door
once and not worry about it again.

~~~
kawsper
There are no official ways of disabling the ME.

The Coreboot project and the Hardenedlinux project have worked on it, and here
are some resources on their progress:

[https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...](https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html)

[https://www.coreboot.org/Intel_Management_Engine](https://www.coreboot.org/Intel_Management_Engine)

And here is a general writeup on the Intel chips and their "features":
[https://libreboot.org/faq.html#intel](https://libreboot.org/faq.html#intel)

If Intel aren't going to patch old systems, here to hoping that they will let
us disable it, but it probably won't happen.

~~~
chasil
There is a Python script that can take a BIOS image (either from a vendor or
scanned from a running system) and remove all ME components that are not
absolutely required to operate the CPU. I have never tried it.

[https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner)

~~~
smolder
I used it with no apparent issues on two of my computers.

------
lurker456
Does this affect ME or ME with AMT enabled ? The article talks about ME but
it's AMT that runs the http server.

~~~
RaleyField
Neither does Intel's advisory (which is something we have come to expect from
Intel - complete nonchalant disregard for details/quality/security/customers).

They could specify whether I'm good with AMT turned off or they went extra
stupid and AMT processes packets even when it's off. My bet is on the later
because otherwise they'd say to disable AMT otherwise. My next processor will
be AMD.

------
nine_k
I wonder what _other_ (somehow) laptop-worthy CPUs offer a better management
engine story?

* AMD processors do have an equivalent management engine (PSP), but I didn't hear anything about remote exploits for it.

* Beefier ARM CPUs also have something like a management engine ("trustzone" only accessible to the manufacturer). I have no idea if it has any remote-access capabilities on any common hardware. On RPi the trustzone is absent.

* Power9 does have a management engine, but it's open and you can upload your own management code. The CPU is not an option for a laptop, and hardly even for a desktop, though.

(Edited: spelling.)

~~~
rectang
In order to support reliable mass-remote-update, what is needed is an ME which
is disabled by default but can be enabled via a non-reversible opt-in, such as
breaking off a pin.

Then a supplier could configure bulk orders to enable the ME and it would be
left up to the customer to choose the security-for-convenience tradeoff.

~~~
jake_the_third
Why break off? Normal physical switches on motherboards work just as well.

~~~
rectang
My reasoning was that the step needed to be non-reversible in order to
duplicate the current behavior. However, after thinking over your suggestion,
I haven't come up with a scenario where that would be important.

Ordinary users, even if they somehow experienced the temptation to disable
remote updates, wouldn't have the expertise to act on it. And any malicious
actor with physical access to the machine would have other more
straightforward attack vectors (like USB vulns).

So I think you're right -- and Intel has even less justification for hard-
wiring the ME on by default.

------
arnaudsm
I'm surprised by the lack of media coverage: Intel is deliberately leaving
billions of CPUs vulnerable.

For a $200 billion company, refusing to spend some ressources to patch all
generations is irresponsible.

Think of how many governments still use <2012 CPUs.

~~~
sametmax
Another theory is that other actors have the will and influence to make sure
it stays that way.

We used to be answer with tin foil hat jokes about jokes on mass surveillance.
Then came PRISM and nobody is laughing now.

Maybe it's going to be the same with this. We will learn many years later it
was enforced by some state or economical entity that benefit greatly to have a
standard unpatchable backdoor on most laptop and servers on the planet.

------
eutropia
Is it possible to mitigate this by blocking traffic on the ports that the ME
uses for communication at the router level?

~~~
6d6b73
AFAIK this work only if the attacker is on the same subnet as you, this means
that your router can't stop the attack.

~~~
hsivonen
Does the attack work if AMT has not been provisioned?

------
deathhand
Do we really need remote code execution on the bios level? Is this a case of
'we can, but should we?'

~~~
nine_k
Think about managing tens of thousands of server in a datacenter. An ability
to do everything you can do form a local console (and preferably more),
without physical access or a KV switch, is very important.

Remotely managing a corporate desktop or laptop, e.g. fixing an OS-level
problem remotely, may also be important.

OTOH I'd prefer this functionality clearly delineated, usinf strong
encryption, and with an explicit reliable "off" switch (preferably physical).

~~~
pdkl95
> Think about managing tens of thousands of server in a datacenter.

The proper solution is an optional management chip on the motherboard, not the
CPU. PCI bus mastering NICs with wake-on-lan and other management features
have existed for decades; it wouldn't be particularly difficult add the rest
of the ME features.

------
amelius
Sometimes I wonder why we even worry about things like Meltdown/Spectre when
there is this gaping hole called ME.

------
tjoff
How can I find out if my system is affected?

The CPU list isn't really helping as the answer is just "yes".

What remains is what, that my motherboard and NIC plays along? How can I
figure that out? Is buying a non-intel NIC guaranteed to be safe?

Right about bow running pfsense on intel hardware isn't the best feeling in
the world.

------
iokanuon
Can we use this vulnerability to somehow disable the Intel ME on our own
machines?

~~~
Filligree
In principle, of course, but not yet.

------
flingo
Is ME enabled by default?

I ask because I've never seen its webserver on my home network. Heck, I don't
even get how it could connect to the internet on a powered off device without
Ethernet.

~~~
kawsper
> Is ME enabled by default?

Yes, and it can't be disabled on all newer systems. The Active Management
Technology (AMT) application, part of the Intel “vPro” brand, is a Web server
and application code that enables remote users to power on, power off, view
information about, and otherwise manage the PC. It can be used remotely even
while the PC is powered off (via Wake-on-Lan).

The ME is present on all Intel desktop, mobile (laptop), and server systems
since mid 2006.

Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME
can be disabled by setting a couple of values in the SPI flash memory. The ME
firmware can then be removed entirely from the flash memory space. libreboot
does this on the Intel 4 Series systems that it supports, such as the
Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which
are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include
“ME Ignition” firmware that performs some hardware initialization and power
management. If the ME’s boot ROM does not find in the SPI flash memory an ME
firmware manifest with a valid Intel signature, the whole PC will shut down
after 30 minutes.

(snipped from
[https://libreboot.org/faq.html#intel](https://libreboot.org/faq.html#intel))

------
noja
Is there a GDPR angle on this? On by default without consent?

------
arendtio
Someone wants to speculate on what would happen if intel would open source
their ME as a reaction to this?

------
iknowverylittle
>CVE-2018-3628, Intel says that exploitation is possible only from the same
subnet

So if I understand correctly, at the moment, these CPUs are vulnerable on a
local network but not currently over the internet?

Fortunately then various groups have already been working to remove and
nullify as much of ME as possible.

~~~
keyme
"... only from the same subnet"

What about DNS rebinding (decade old unpached vuln)? It allows websites to
issue requests onto your local subnet.

Actually... Issuing a request doesn't even require any vuln, it's not a SOP
violation...

------
yzmtf2008
Isn’t this vulnerability based on AMT, which is based on ME but disabled by
default? Even then, every setup I’ve seen have AMT (a separate Ethernet
interface) behind a firewall and is only accessible via local network. The
outrage is hardly justified.

~~~
achillean
There are close to 5,000 devices exposing their Intel AMT to the Internet:

[https://www.shodan.io/report/j3cFHOzs](https://www.shodan.io/report/j3cFHOzs)

~~~
yzmtf2008
There are X thousand redis servers exposed to the Internet too. This is hardly
intel’s fault (having the ports exposed, not the vulnerability).

And again, this is not the main point I’m arguing. What I’m saying is that
supposedly “this is something that’s enabled by default on consumer devices”
is verifiably wrong.

~~~
achillean
If you run Redis on a public interface without authentication then it will
spit out a bunch of warnings and make you aware of the security implications.
The changes antirez has made to Redis both in terms of secure defaults and
notifying users of insecure settings has directly lead to a huge reduction in
Internet-exposed Redis instances.

And I was trying to address this point:

> Even then, every setup I’ve seen have AMT (a separate Ethernet interface)
> behind a firewall and is only accessible via local network.

In the past, manufacturers used that defense when a security researcher
approached them about a problem and they justified the lack of patching by
saying things like "nobody would put this on the Internet". There are simple
things a manufacturer can do to encourage good security by the end-user (ex.
showing a warning). I don't believe that blaming the end-user is a viable path
to fixing the problem. This issue isn't specific to Intel but I would prefer
it if the vendor implemented more security safeguards to prevent users from
inadvertently increasing their attack surface.

------
ramshanker
It looks like every 6 month some bad news for Intel.

~~~
ksec
At the moment it is looking like every 6 weeks. One more Reason why CEO was
fired. ( So no one to blame )

------
watersb
There seems to be confusion about vPro, AMT, BIOS, UEFI, Trusted Boot, and so
on.

This talk helped me: "Replace Your Exploit-Ridden Firmware with Linux"

[https://youtu.be/iffTJ1vPCSo](https://youtu.be/iffTJ1vPCSo)

------
cmurf
Could Intel ME be disabled in UEFI firmware setup (if the firmware were to
offer a UI for it?) Or it is something that's physically enabled/disabled on
the CPU and totally orthogonal to UEFI firmware?

Ergo, could the computer manufacturer release a firmware update providing such
an interface option in firmware setup if they really wanted to? Or are they
stuck once the product is released?

~~~
Kliment
You can disable ME by giving it a firmware image to run that does nothing. The
me_cleaner approach is to keep the module that brings up the hardware and then
give it a command causing it to crash, which is as good as that. A firmware
update can definitely do this too.

------
DanBlake
Does using a USB ethernet adapter mitigate all of the AMT issues? IE-
Something like this : [https://www.anker.com/products/variant/usb-3-0-to-
gigabit-et...](https://www.anker.com/products/variant/usb-3-0-to-gigabit-
ethernet-adapter/A7610011)

------
enitihas
I think most devices have similar vulnerabilities which aren't well known and
hard to defend against, like the separate processor in most phones. Worth
reading:
[https://news.ycombinator.com/item?id=6722292](https://news.ycombinator.com/item?id=6722292)

~~~
_emacsomancer_
Which is a good reason _not_ to feel smug if your device isn't an Intel
device, but not an excuse for the behaviour of Intel.

------
orblivion
So how did they go about making these fixes? Is this another thing where I
have to download something from my OEM?

The biggest problem I have by far with any of this is that it's not trivial to
update all firmware involved. Everything else is forgivable, people make
mistakes.

~~~
rectang
How can you classify a deliberate architectural decision to trade away
security for all for the convenience of some as a mistake? That the ME would
eventually be exploited was completely foreseeable, and was surely foreseen
and discussed within Intel.

This isn't like some subtle software bug that went undetected. The
consequences were known and Intel deliberately chose them.

~~~
orblivion
> a deliberate architectural decision

This is the "not trivial to update" part. The "mistake" part is all the vulns
that come out.

------
brian_herman
I finally pushed the button on my lenovo T450S there is a setting in the bios
to delete the AMT. While the best route is to reprogram... I would just rather
click one button and set bios passwords afterwards.

~~~
close04
The ME (AMT) is never actually disabled or deleted as long as the FW is there
and running.

Plus you should take advantage of the fact that the 450 is still supported and
gets a ME FW update.

Yesterday I updated all my machines with Gen 4 CPU with new BIOS, new ME FW,
and (surprisingly) new TPM FW. The Gen 3 CPU machines barely got a BIOS update
for Metldown/Spectre and that's it.

~~~
brian_herman
So I would just update the bios and it will return back to normal?

~~~
close04
Updating the BIOS if you have this option goes without saying. TBH, the BIOS
and various FW in your machine should always be kept up to date. Just give
them 1 month from launch and let others test it to make sure it doesn't have
any serious issues, then just update.

And as long as you are not using it and don't need it you might as well
disable and unconfigure it in BIOS.

Of course in this state your machine is ready for reconfiguring it and it will
accept the default "admin" ME password. Which means you have to make sure you
have a good BIOS password. This will prevent someone who has 2 minutes alone
with your machine from reenabling and configuring it without you even
noticing.

------
baybal2
I wonder, who ever uses these "management engines," let alone put them open on
WANs?

When first news of IME being compromised, I was surprised that Shodan showed
such a small number of machines.

~~~
dictum
When dealing with consumer-grade network equipment, this is the same question
that always comes to my mind: _who_ decided these devices should have their
management features open for WAN access by default?

I'm still not sure if it was an early 2000s fad that nobody really thought
about, or it was deliberate (and if so, why).

~~~
chris_wot
Most of the routers I've seen only have their management interfaces open on
the local network, not on the WAN port.

------
6ue7nNMEEbHcM
Would it suffice to mount and use external Ethernet adapter e.g. on PCIe,
leaving the built-in disconnected? I think the ME intercepts only built-in
Ethernet, can someone confirm?

------
ksec
>Perhaps the only consolation is that for CVE-2018-3628, Intel says that
exploitation is possible only from the same subnet.

That is at least a little more comforting.

~~~
zzzcpan
Javascript in your browser is running in the same subnet.

------
8bitsrule
Must all solutions be software?

How'sa about a desolder-the-chip mitigation? Or a hammer-and-sharp-punch
mitigation?

------
chris_wot
Aside from applying updates, how else can these vulnerabilities be mitigated?
Genuinely curious...

~~~
nh2
As far as I understand:

* In general you cannot.

* You can try to remove ME with non-official tools like [https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner)

* Some vendors ship specific laptops with ME disabled ([https://fossbytes.com/laptops-intel-me-chip-disabled/](https://fossbytes.com/laptops-intel-me-chip-disabled/))

* For servers or desktops, you can plug in a separate PCI network adapter instead of using the one on the mainboard (please correct me if this is wrong or confirm it as I'm unsure about it). That would at least disconnect the ME from the network by default. But anybody could still walk up to your machine, plug a cable into the mainboard ethernet port and own you at the deepest level.

~~~
hlandau
me_cleaner does _not_ disable the ME. It is a _partial_ disablement of ME
functionality, but some functionality remains enabled. The ME firmware is an
Intel-signed proprietary binary blob part of which is instrumental in the
system boot process, so complete removal is impossible.

me_cleaner and/or the HAP bit, or the services offered by laptop vendors which
is basically doing the very same for you, may certainly reduce the degree of
attack surface and the extent to which the ME poses a threat, but it is not a
complete disablement or removal, and you are still reliant on a non-modifiable
binary blob to bring up your system; referring to it as removal is misleading.

Since the firmware is proprietary, it's hard to make any guarantees to what
extent a reduced-size ME (via me_cleaner and/or the HAP bit) reduces attack
surface in practical terms. My understanding is that even with the HAP bit and
me_cleaner applied, the ME continues running at least some functionality after
system boot is completed.

~~~
Kliment
This is correct but misleading. The me_cleaner approach, with all options,
wipes the entirety of the ME firmware except the module needed for hardware
bringup. It then causes the ME to crash as soon as hardware bringup has
happened. The host system cannot communicate with the ME processor and the ME
processor does not execute any further code after this point. This is the
current gold standard.

The next stage would be to disassemble the bringup modules and figure out what
exactly they do by reverse engineering, and implement that part independently.
People are working on this. So far there is no indication that any of the
problematic functionality is in the bringup module.

~~~
hlandau
How can the functionality be implemented independently when the modules must
be signed?

Complete reverse engineering could at least serve as an effective audit
though.

~~~
vengefulduck
It seems likely, to me anyway, that the CPU doesn't have any effective way of
verifing what is running on the ME. So reversed firmware could just lie to the
CPU and tell it that its firmware is signed when it isn't. A similar approch
is use the microg project to replace proprietary google play services by
spoofing google's signature.

~~~
Kliment
This is very difficult to do as the bit that loads the modules (and checks the
signatures) is implemented in hardware.

------
ddtaylor
Can JavaScript talk to that HTTP via Ajax?

------
ghthor
It's all a scam to make functioning CPUS obsolete. It's a key to turn on a
planned obsolescence.

------
elorant
Time to build a Ryzen rig.

~~~
brian_herman
[https://libreboot.org/faq.html#amdpsp](https://libreboot.org/faq.html#amdpsp)
Sorry man you would still be SOL :(

------
Dinux
Here we go again

