Intel acknowledges security flaw in intel Management Engine

[Cracklingice]

The Intel Management Engine (ME) has a security flaw; a remotely exploitable security hole.  Even if the remote management features are disabled, the machine flaw can still be exploited locally.  This flaw has been known for years, but nothing has been done about it until recently.  It is possible that this flaw is being used out in the wild.  The issue exists because the Intel Management Engine (ME) controls network ports and has direct memory access.  The ME has the ability to write to and read from any memory in the system.  Including encrypted disks once they have been unlocked.  The ME also has the ability to read and write to the display as well as send data out over the network.  These activities can be done without leaving any log traces behind.  The features of the Intel Management Engine are strongly helpful to IT departments in corporate environments but are of little to no use to average consumers, yet the features appear in part or in whole in almost every Intel product.

 

Intel is working on patches, but for OEM systems it will be up to the OEM suppliers to provide them.  Some smaller OEMs may not be able to offer the patches, while others may only offer patches for products within their warranty period.  Due to the wide time frame of products with the flaw, a situation similar to the latter could leave a large amount of vulnerable systems as up to half or more of the products affected would be out of the warranty period.

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

 

Read intels advisory here: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

 

EDIT - it appears this flaw only exists in the components of the Management Engine used in vPro enabled CPUs.  It may also require a compatible chipset and network interface.  Here is a list vPro CPUs.  You will notice some consumer products are indeed in the list such as Sandy Bridge.

http://ark.intel.com/Search/FeatureFilter?productType=processors&VProTechnology=true

 

More reading: http://www.tomshardware.com/news/intel-amt-vulnerability-me-dangerous,34300.html

[ARikozuM]

I'm pretty sure this has been posted quite a few times prior to this new development.

 

Intel's ME has had issues for quite [a while]. 

 

Edit: Incorrect grammar.

[Mira Yurizaki]

2 minutes ago, ARikozuM said:

I'm pretty sure this has been posted quite a few times prior to this new development.

 

Intel's ME has had issues for quite [a while]. 

 

Edit: Incorrect grammar.

https://www.extremetech.com/computing/230342-report-claims-intel-cpus-contain-enormous-security-flaw

 

You'd be correct. This has been reported in the past. The article I linked mentions it goes all the way back as 2009.

[Cracklingice]

4 minutes ago, ARikozuM said:

I'm pretty sure this has been posted quite a few times prior to this new development.

 

Intel's ME has had issues for quite [a while]. 

 

Edit: Incorrect grammar.

 

2 minutes ago, M.Yurizaki said:

https://www.extremetech.com/computing/230342-report-claims-intel-cpus-contain-enormous-security-flaw

 

You'd be correct. This has been reported in the past. The article I linked mentions it goes all the way back as 2009.

I suppose I should change the title to Intel acknowledges security flaw, because the point is they have issued an official advisory and are working on fixing it.

[zMeul]

14 minutes ago, M.Yurizaki said:

way back as 2009

2008 actually, sine Intel Nehalem 

[KuJoe]

Is this the flaw that let you break out of VMs?

[zMeul]

6 minutes ago, KuJoe said:

Is this the flaw that let you break out of VMs?

no, it's vPRO

related to Active Management

[HelplmChoking]

Eh, pretty sure it was only on Core I series and lower end Xeons, no big deal for me.

[zMeul]

3 minutes ago, Rangaman42 said:

Eh, pretty sure it was only on Core I series and lower end Xeons, no big deal for me.

it affects everything vPRO since 2008 to Kaby Lake - PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)

[Zodiark1593]

*wonders if this flaw can be used to break the Readyplay DRM*

[Cracklingice]

4 minutes ago, Zodiark1593 said:

*wonders if this flaw can be used to break the Readyplay DRM*

You know since it does have the ability to intercept display it could potentially subvert some DRMs.  I am unsure about audio.

[leadeater]

1 hour ago, KuJoe said:

Is this the flaw that let you break out of VMs?

 

1 hour ago, zMeul said:

no, it's vPRO

related to Active Management

It will allow you to break in to VMs though, Intel AMT has unrestricted and unlogged access to everything. Which means yes you can use it to break out of VMs.

 

Quote

The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.

 

[KuJoe]

16 minutes ago, leadeater said:

 

It will allow you to break in to VMs though, Intel AMT has unrestricted and unlogged access to everything. Which means yes you can use it to break out of VMs.

 

 

That's what I thought, I was trying to find my e-mails with my clients about this from 2014 or 2015 but I wasn't able to find the specific exploit reports.

[AlTech]

Damnit. My Laptop's CPU has vPro enabled......

[Jinchu]

https://mjg59.dreamwidth.org/48429.html 

according to this article, you have to be worried only when you are using a computer that has had AMT enabled. That being said the whole ME deal is shady. 

[leadeater]

21 minutes ago, Jinchu said:

https://mjg59.dreamwidth.org/48429.html 

according to this article, you have to be worried only when you are using a computer that has had AMT enabled. That being said the whole ME deal is shady. 

If you have the Intel ME/AMT drivers installed there is a service, LMS, that can be used to talk directly to the ME firmware. This is the local only attack vector and can be used to configure AMT and enable it for network access.

 

Intel has a mitigation advisory document that advises to disable that service completely until new firmware is patched.

[Ryujin2003]

3 hours ago, leadeater said:

If you have the Intel ME/AMT drivers installed there is a service, LMS, that can be used to talk directly to the ME firmware. This is the local only attack vector and can be used to configure AMT and enable it for network access.

 

Intel has a mitigation advisory document that advises to disable that service completely until new firmware is patched.

 So now  it's a big deal for Intel, but they didn't care last year, or ant year before that?

 

If this were Microsoft or AMD, proteome would lose their minds. It really seems that people don't really get upset if Intel makes a mistake and ignores it for 9 years.

[Cracklingice]

People have been upset the entire time - even before any flaws were discovered.  It's something that has no business being in consumer level hardware in the first place, only corporate hardware.

[Demonking]

Damn & i use the Igpu to for OBS.

[LAwLz]

So this is "only" an issue for chips that has vPro, correct?

Because if it is, then it's quite far from "virtually every" Intel chip.

It's still a really bad situation, and shows why having backdoors with extremely high privileges is a really bad idea, but hopefully it's not as if all computers in the world are vulnerable. For example the 7700K does not have vPro, and neither does any of the standard i5 and i7 that most people on this forum would buy for their desktops.

[vorticalbox]

42 minutes ago, LAwLz said:

and shows why having backdoors with extremely high privileges is a really bad idea,

this is a flaw not an intentional hole. 

[Fetzie]

1 hour ago, LAwLz said:

So this is "only" an issue for chips that has vPro, correct?

Because if it is, then it's quite far from "virtually every" Intel chip.

It's still a really bad situation, and shows why having backdoors with extremely high privileges is a really bad idea, but hopefully it's not as if all computers in the world are vulnerable. For example the 7700K does not have vPro, and neither does any of the standard i5 and i7 that most people on this forum would buy for their desktops.

The X99 i7s also don't have vPro enabled (5820k - 6950X).

 

Edit 9:37 - it looks like only the mobile cpus support vPro.

[Cracklingice]

5 hours ago, Fetzie said:

The X99 i7s also don't have vPro enabled (5820k - 6950X).

 

Edit 9:37 - it looks like only the mobile cpus support vPro.

 

7 hours ago, LAwLz said:

So this is "only" an issue for chips that has vPro, correct?

Because if it is, then it's quite far from "virtually every" Intel chip.

It's still a really bad situation, and shows why having backdoors with extremely high privileges is a really bad idea, but hopefully it's not as if all computers in the world are vulnerable. For example the 7700K does not have vPro, and neither does any of the standard i5 and i7 that most people on this forum would buy for their desktops.

 

It does appear that fewer consumer chips include it than they did in the sandy bridge days.  Only one I was able to find was the 7700 from the current generation.

[leadeater]

6 hours ago, Fetzie said:

Edit 9:37 - it looks like only the mobile cpus support vPro.

Every HP/Dell etc business desktop has Intel AMT/vPro support and some of the advanced features in Windows Enterprise editions required vPro support, this really only effects businesses as consumer devices almost always don't have AMT or AMT is disabled by the OEM and isn't configurable at all.

 

There's more to it than just having a CPU that supports vPro thankfully.

[Cracklingice]

2 minutes ago, leadeater said:

Every HP/Dell etc business desktop has Intel AMT/vPro support and some of the advanced features in Windows Enterprise editions required vPro support, this really only effects businesses as consumer devices almost always don't have vPro or vPro is disabled by the OEM and isn't configurable at all.

 

There's more to it than just having a CPU that supports vPro thankfully.

I cannot confirm that the software support for it ships with the Optiplex 790, but I did the system check on mine with a blank media windows 7 install and it definitely did detect the firmware and the revision of it.  It does list as isamtenabledinbios as 00 so it's probably disabled tho I may have done that myself, I don't remember.  Even though it is a clean install of Windows, it still reports in the AMT detection tool results in the registry that it's a Dell Optiplex 790.