Intel fixes old vulnerability

[fjdhdhcyfhf]

If you have an ex-lease business PC or server you will want to look into this vulnerability; if not then go back to playing minecraft.

An old Intel vulnerability was fixed on 1st May. This affects 9 years of Intel's business products.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Quote

Summary:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs.

Description:

There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue. An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM). CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT). CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products:

The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability.  Versions before 6 or after 11.6 are not impacted.

You can read the article. I post the first half here ^

The part that concerns the vulnerability is the feature for remote management of a powered off PC.

AMT from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Spoiler

Hardware-based management works at a different level from software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.^[9] AMT is not intended to be used by itself; it is intended to be used with a software management application.^[1] It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.^[1][3][10]

AMT is designed into a secondary (service) processor located on the motherboard,^[11] and uses TLS-secured communication and strong encryption to provide additional security.^[2] AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.^[2] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management.^[12] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.

So what does this mean for you?

If you have a cheapo laptop, or non-business device then you should be safe because AMT was an extra cost for OEMs to implement.

 

This is what Intel has provided for you to check if you are affected https://downloadcenter.intel.com/download/26755

The tool is a windows executable that scans for intel SKU and reports back AMT version in use (if present).

Quote

Recommendations:

 

Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

 

Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

 

Step 3: Intel highly recommends checking with your system OEM for updated firmware.  Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

 

Step 4: If a firmware update is not available from your OEM, mitigations are provided in this document: https://downloadcenter.intel.com/download/26754

 

 

 

Step 4 above is really interesting because it mentions ports affected and how you can scan your network for affected machines.

 

[MasterChromatica]

This is very interesting, thankfully my Dell E6420 Plex Server is safe from this.

[Lord Nicoll]

10 minutes ago, SCHISCHKA said:

If you have an ex-lease business PC or server you will want to look into this vulnerability; if not then go back to playing minecraft.

An old Intel vulnerability was fixed on 1st May. This affects 9 years of Intel's business products.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

You can read the article. I post the first half here ^

The part that concerns the vulnerability is the feature for remote management of a powered off PC.

AMT from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

  Reveal hidden contents

Hardware-based management works at a different level from software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent. Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations, as well as wake-on-LAN (WOL) for remotely powering on systems.^[9] AMT is not intended to be used by itself; it is intended to be used with a software management application.^[1] It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.^[1][3][10]

AMT is designed into a secondary (service) processor located on the motherboard,^[11] and uses TLS-secured communication and strong encryption to provide additional security.^[2] AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.^[2] AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management.^[12] AMT provides similar functionality to IPMI, although AMT is designed for client computing systems as compared with the typically server-based IPMI.

So what does this mean for you?

If you have a cheapo laptop, or non-business device then you should be safe because AMT was an extra cost for OEMs to implement.

 

This is what Intel has provided for you to check if you are affected https://downloadcenter.intel.com/download/26755

The tool is a windows executable that scans for intel SKU and reports back AMT version in use (if present).

 

Step 4 above is really interesting because it mentions ports affected and how you can scan your network for affected machines.

 

I'll wait for the critical email alert from HPE to know if I'm affected but few of my systems are on the open net so I feel safe. 

[fjdhdhcyfhf]

9 minutes ago, Lord Nicoll said:

I'll wait for the critical email alert from HPE to know if I'm affected but few of my systems are on the open net so I feel safe. 

check out step four and do a quick port scan. Prob the fastest fix without needing any downtime would be a couple of simple firewall rules on affected machines.

Quote

netstat -na | findstr "\<16993\> \<16992\>

\<16994\> \<16995\> \<623\> \<664\>

Note:

Although these are the standard ports for LMS, a custom developed LMS could be designed to listen on alternative ports.

 

[Lord Nicoll]

Just now, SCHISCHKA said:

check out step four and do a quick port scan. Prob the fastest fix without needing any downtime would be a couple of simple firewall rules on affected machines.

 

I don't use windows on the servers, and only virtual machines are routed outside (only one) and I didn't activate the affected services so I'm off the hook. 

[fjdhdhcyfhf]

10 minutes ago, Lord Nicoll said:

I don't use windows on the servers, and only virtual machines are routed outside (only one) and I didn't activate the affected services so I'm off the hook. 

the exploit doesnt require a specific OS. It affects a remote management feature implemented in hardware. I dont know if a virtual machine will save you. My understanding is there is a chip on the motherboard that acts on its own to intercept network traffic. Its all part of the builtin back door conspiracy.

[Lord Nicoll]

Just now, SCHISCHKA said:

the exploit doesnt require a specific OS. It affects a remote management feature implemented in hardware. I dont know if a virtual machine will save you. My understanding is there is a chip on the motherboard that acts on its own to intercept network traffic. Its all part of the builtin back door conspiracy.

I was referring to the command, that command only works on a windows system. I don't have that enabled as I use iLO for remote management and web based UIs for the VM system, so I left the extra Wake on Lan, and other Intel stuff diabled, and it isn't ported into or out of my network. 

[Jito463]

Already posted.

 

*EDIT*
Whoops, and that wasn't even the original one I read.  I guess it's been reposted multiple times now.

[fjdhdhcyfhf]

5 minutes ago, Jito463 said:

Already posted.

 

*EDIT*
Whoops, and that wasn't even the original one I read.  I guess it's been reposted multiple times now.

my post is better.