Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Escalation of Privilege Advisory (intel.com)
482 points by ctoth on May 1, 2017 | hide | past | web | favorite | 299 comments

For a system to be affected, both chipset and CPU have to support vPro. For example, a PC with Core i7-7700 CPU and H270 chipset is not affected because only the CPU has support for vPro, but a PC with Core i7-7700 CPU and Q270 chipset is affected because both CPU and chipset have support for vPro.

And as far as I can see you'd still have to have AMT enabled in your BIOS.

At least for it to be exploited remotely. It can still be exploited locally.

What is the network traffic for this management stuff? TCP? UDP? What ports? I presume just blocking it at the switch or router would be an approach to mitigation?

EDIT: from the PDF posted in another thread, looks like the Intel ME ports are 16992, 16993, 16994, 16995, 623, and 664.

Is there any indication the vulnerability is present on Intel-based Macs?

It's not present because Macs don't have AMT.

There's been a plenty of Macs with vPRO CPUs. Unless Apple is getting custom CPUs or CPU firmware then it would seem that Macs do have AMT. No?

Enabling it is tremendously difficult though AFAIK.

It has to have the ME silicon and the AMT enabled firmware. According to Matthew Garrett, who I'd generally trust on this stuff, Apple hasn't ever shipped AMT-enabled firmware.

It's nice to see that for once it's a good thing that Apple hardly ever ships standard firmware and instead usually leaves out all the components and features they don't plan to use.

vPro isn't a CPU, it's a particular combination of CPU, PCH (southbridge), Intel NIC/WiFi, and AMT firmware. There's no evidence that Macs have AMT or vPro.

Well, Intel does a particularly bad job of explaining whether this exists. My MBP CPU is a Core(TM) i7-4850HQ, and Intel's ark site says it has vPro.

You're right about that. Intel's product lineup is a huge mishmash of optional features that no one understands and now it's going to bite them. (But not really, because what else are you going to buy? A Ryzen laptop?)

I don't see any reason why it wouldn't be. However it doesn't seem immediately clear whether or not it'd be exploitable under default configs.

Is there any chance this could be exploitable from within a guest virtual machine, or does Intel's architecture only allow a hypervisor to communicate with the firmware?

They don't say how the local exploit works, other than mentioning that an unprivileged user can do it:

"An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges"

I would go ahead and assume it's an issue on guest virtual machines. Maybe not, but since they don't explain the vector...

If it is remotely exploitable that means that if you're on the network you can do damage. So if that guest virtual machine has access to the same LAN or VLAN that your ME sits on then you might be in trouble.

That's the whole problem here, this is an issue that allows a remote attack, not just a local one.

Even so, it also allows a local attack. One that cannot be fixed without a firmware upgrade (now hope/pray/beg your OEM to release one).

Yes, remote exploitability sucks hard, but that's not the "whole problem"; there's a bigger problem that just remote exploitability.

Anyone expecting another shadowbrokers reveal soon...?

Stallman was right.

Did you doubt? If anything Stallman has been right far more often than he was wrong about such things.

Even Trump is ocasionaly right.

They really don't make it easy to parse this. Wish they just had a list of models/skus.

I would guess you saw this, but just in case:

Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

Step 2 is pretty useless if you don't use Windows.

It's specifically a vulnerability in system firmware, and they provide a nice table listing the affected ranges of firmware versions.

Do I need to be concerned about my Mac or my Lenovo Windows laptop?

That depends:

- do you have a VPro enabled mac (probably not) or laptop (could be)?

- if so are you running AMT (check bios!)?

- if so is it running one of the affected versions?

- and even if not check if the machine is running LMS and if it does disable that.

Who's ready for cheap hardware sales?

Or lucrative short term contract work.

Very good idea.

Isn't security by obscurity awesome?

i7 4510U affected?


We detached this subthread from https://news.ycombinator.com/item?id=14242120 and marked it off-topic.

He's not downplaying anything. And it's not like Chuck is an employee of Intel.

In what way did he downplay it? By telling an anecdote?

A remote attacker can use a backdoor to gain control of any PC? This is great news for malicious AI!

That's a great idea for training an AI for, and someone totally has already done it. I'm training myself to (be able to) live off the grid when time comes.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact