my Lenovo T450s's vPro/AMT setup menu (MEBx) requires a password from me. The default password ("admin") won't work -- which is wonderful, as I have no idea how to reset it. Yaey.
>5. Select Unconfigure this system using admin password, enter the admin password (P@ssw0rd) and click the Next button.
I can just imagine the conversation that lead to this:
"Johnson! This password doesn't meet our corporate password policy of having digits and symbols."
"But... but this is the default password. It's publicly available and is not supposed to provide any security."
"I don't care what your excuse is. Change it right now.
When it comes to x86-64, everything is back-doored, make no bones about it. If you want something less insecure, go get a T400 and libreboot it, or buy an SBC that can run with no blobs.
Edit: Sorry read a bit deeper. Presumably this has to be enabled in the bios, but O/S level firewall won't help. Ack.
Am I safe if it doesn't connect with telnet on 16992?
To avoid a crash, users can mount potentially malicious filesystems in userspace, i.e. users can run kernel drivers like ffs outside of the kernel. This feature comes from a non-Linux kernel. I have read this may be able to work on Linux too but I have never tried it.
It's clearly using SOAP, and looks like you can choose between HTTPS or HTTP.
Linux has FUSE for this, but...
- A lot of filesystems don't have FUSE drivers. You can't use the same kernel-mode drivers in userspace. In fact, off the top of my head, the only filesystem with both kernel-mode and userspace drivers is ZFS.
- It just reduces the threat, it doesn't eliminate it. There's no guarantee whatsoever that the FUSE kernel-side shim is invulnerable to bad inputs, though hopefully it's been audited. Something that never touches the kernel would still be preferable.
I'll concede that there are some older vulns allowing that, but if you meant for a reasonably up-to-date Linux or Win7+ system: reference needed.