Someone obtained a fully functional JTAG for Intel CSME via USB DCI

[IEC]

Ars Technica reporting that "Millions of computers could be remotely hijacked through bug in firmware code." Specifically, the Intel Management Engine.
https://arstechnica.com/information...lity-in-pc-server-device-firmware/?comments=1

Apparently, my Dell laptop is on the list. I am discontinuing usage of the device until the vulnerability is patched.

 

[wahdangun]

Ars Technica reporting that "Millions of computers could be remotely hijacked through bug in firmware code." Specifically, the Intel Management Engine.
https://arstechnica.com/information...lity-in-pc-server-device-firmware/?comments=1

Apparently, my Dell laptop is on the list. I am discontinuing usage of the device until the vulnerability is patched.

lucky for me, we use ancient am3 for our firewall server, and all our intel xeon server guarded behind it.

but its time to stricken the firewall.

EDIT: no wonder there are hacking incident everywhere

 

[coercitiv]

Ars Technica reporting that "Millions of computers could be remotely hijacked through bug in firmware code." Specifically, the Intel Management Engine.
https://arstechnica.com/information...lity-in-pc-server-device-firmware/?comments=1

Apparently, my Dell laptop is on the list. I am discontinuing usage of the device until the vulnerability is patched.

For those who read the article - the detection tool has a simple GUI implementation - quickly checks and displays whether vulnerability exists on local machine. So don't believe everything they write in the press. (although at the time of the article the software package may have been different)

• My Coffee Lake system is already patched, the fix was likely made 3 weeks ago when I updated the firmware. (it does state a ME update)
• My Skylake system is vulnerable, let's see how fast MSI is going to post a patch.
• Haswell based laptop is not vulnerable, as expected considering the vulnerability is specific to newer ME versions starting with Skylake CPUs.

 

[plopke]

My mom/dad desktop PC Gigabyte B150-D3HP core i3-6300 is listed as vulnerable by the Intel tool. Gigabyte has a press release stating update will start for the 300 and 200 series motherboard followed by older , i see they have been releasing a bios update for the B250-D3HP. Sigh , the B150 better get one also not even 2 years old i think.

But I have some questions :
1) there is no way to disable this in bios?
2)What if your system was never setup for remote managements logins , if i read the instruction you would have had it setup once locally?
3)Does this effect only local LAN?

PS edit/update , maybe make seperate thread about this ?

 

[moinmoin]

1) there is no way to disable this in bios?

Officially none, which is why the NERF project exists.

 

[Red Squirrel]

It affects WAN too because technically your firewall probably has some sort of Intel or AMD processor in it so it could hijack the NIC to send/receive data (or whatever it is this thing does). Though I'm almost wondering if it might actually be SAFER to use a crappy SOHO router like a Linksys or Dlink now days because of this, but I really don't want to give up the functionality of Pfsense. Even then who knows if the cpus in those boxes may also have this backdoor in it. This is the problem with closed source. Now that the cat is out of the bag about Intel and AMD putting backdoors into the cpu, all you can ask yourself is "who else does this?".

 

[moinmoin]

In two related new:

https://twitter.com/rootkovska/status/938458875522666497

Attacking #IntelME by @h0t_max & @_markel___ at #BHEU
1. Requires malformed file on SPI flash (needs physical access or bug in BIOS)
2. Bug in early-loaded module, so ME "disabling" by HAP is not a cure
3. Culprit is classic(!) stack overflow
4. Full code exec in ME
Congrats! pic.twitter.com/own7OZCgxg

— Joanna Rutkowska (@rootkovska) December 6, 2017

AMD's latest AGESA version includes the capability to "disable" the PSP (AMD's ME), some manufacturers include it, others need modding to make the setting show up. https://www.reddit.com/r/linuxmaste...istened_to_us_and_added_a_psp_disable_option/

 

[Topweasel]

That makes it sound like the only reason it exists is to allow government agencies to access your computer. It's actual purpose is remote management by administrators, especially in cases where the PC can't load its OS. I imagine most computers would be much easier to exploit using other methods.

Not that you are wrong, but it should be noted that in because the network stack is part of ME and like lets say PSP where any Vpro features would plug into the PSP. ME has an always active network system working whether you have a system capable of Vpro.

So when you combine that with information we "know" from the Snowden leaks. A lot of the NSA could tap into everything everywhere if they wanted and did at times parts of leak probably go back to this exactly. We know that DoD and such have placed a lot of pressure on US companies and companies that have a strong US presence to allow them avenues for accessing information for "security". Even though we get pretty angry when we hear of Russian and Chinese companies doing the same. Don't want to speculate on whether this type of access to "non-implemented" features was actually given to our federal agencies. But I do understand the concern when you have hidden console access potentially being on no matter your choice on hardware as long as it is connected to the internet.

The hack just makes it worse because now you have a tech that could be more helpful than not, but you don't actually have access to because you didn't pay extra for Vpro, that could be already be being misused by the government, can now demonstrably be accessed by an even more malicious third agent.

 

[Topweasel]

In two related new:

https://twitter.com/rootkovska/status/938458875522666497



AMD's latest AGESA version includes the capability to "disable" the PSP (AMD's ME), some manufacturers include it, others need modding to make the setting show up. https://www.reddit.com/r/linuxmaste...istened_to_us_and_added_a_psp_disable_option/

Which is both good and bad. PSP isn't anything like ME. It gives hardware manufacturers options that could include ME like features. So while it's good to see a company move back towards giving the end control to the end user. I feel with PSP, people are throwing out the baby with the bath water. I know it's a black box, but that doesn't make it a bad box.

 

[moinmoin]

I know it's a black box, but that doesn't make it a bad box.

Well, that's a matter of opinion and trust. Personally I think a black box possibly capable of acting on its own without supervision always requires full scrutiny. Bugs always exists, and lack of supervision (especially by design) is always bound to be abused at some point.

The PSP in particular is poorly documented. The existence of the "disabling PSP" capability (whatever this actually entails) was only found through Gigabyte's BIOS Setup User's Guide for their Epyc server boards where there's also a list of POST codes by the PSP (starting on page 97) that reveals there are "P2C Mailbox Handling" and "C2P Mailbox Handling" which purposes are not further documented.

 

[Topweasel]

Well, that's a matter of opinion and trust. Personally I think a black box possibly capable of acting on its own without supervision always requires full scrutiny. Bugs always exists, and lack of supervision (especially by design) is always bound to be abused at some point.

The PSP in particular is poorly documented. The existence of the "disabling PSP" capability (whatever this actually entails) was only found through Gigabyte's BIOS Setup User's Guide for their Epyc server boards where there's also a list of POST codes by the PSP (starting on page 97) that reveals there are "P2C Mailbox Handling" and "C2P Mailbox Handling" which purposes are not further documented.

Understood. But from what we understand of PSP (which goes back to trust sure), it becomes the security and encryption engine that makes all of the other stuff possible if the manufacturers choose to plug in through an api into its security system. But it isn't a tool itself for that functionality. Those functions seem like they would be reception areas for key rings.

 

[DrMrLordX]

Stack overflow huh? Nice.

 

[Red Squirrel]

At this point I just hope this blows up so hard that they are forced to remove this crap. It seems every couple weeks a new exploit is found. I don't really see that happen though, this was probably government mandated more than anything. They could not care less if people are getting hacked. It's a matter of time till a huge worm is created to really take advantage of this. I wonder if you can do stuff like change cpu voltages from this backdoor, imagine a worm that just blows computers or maybe even start fires. Something huge needs to happen to cause a huge class action lawsuit or something.

 

[DrMrLordX]

Considering that Germany is mandating that all tech have mandatory gub'ment backdoors, and that Congress seems to be considering similar measures, ought to tell you about ME's future.

 

[Red Squirrel]

Yeah things are really starting to suck in that regard. If Germany does it I'm sure the US and then Canada will follow. They are pretty much salivating at this idea.

What really blows is that a lot of this stuff is done at the sillicon level (like this ME stuff), so unless you want to build your own fab even DIY electronics will be backdoored. Like I was thinking, one could build a computing platform based on FPGAs, but who's to say the FPGAs won't also get backdoors eventually.

 

[moinmoin]

Did everybody miss the detailed talk at 34C3?
https://media.ccc.de/v/34c3-8762-inside_intel_management_engine

Fun salt:

 

[hasu]

Are there any class action law suit against intel for this deliberately included major security flaw?

 

[Red Squirrel]

Doubt it. Big corporations never get held liable for stuff like this. Just look at the Equifax breach. It's pretty much blown over at this point despite the millions of peoples lives that have been ruined or that will be ruined because of it.

 

[hasu]

So what is included in BIOS updates that addresses this flaw?
Can it affect systems behind a firewall (assuming no one hacked into the network)?

 

[plopke]

So what is included in BIOS updates that addresses this flaw?
Can it affect systems behind a firewall (assuming no one hacked into the network)?

Since Intel consider this as strictly in-house we will never know except here is a new BIOS and hope they did it right this time. Gigabyte at least updated the 100-200-300 series so kudos to them all generations.

I made a post with some documentation of intel stating in what scenarios it could affect you.


https://forums.anandtech.com/threads/intel-sa-00086-security-report-some-links-my-questions.2528627/

I ran the Intel tool after the bios update and said it detected as the fix being installed when it said before my system was vurnable.

 

[hasu]

Are there any intel/amd cpu that does not have back door management features?

 

[DrMrLordX]

Any Intel system from 2007 and earlier has no ME.

 

[William Gaatjes]

If you are willing to sacrifice raw speed, most embedded microcontrollers are not that sophisticated that they have considerable security flaws.
In theory it is a matter of writing your own tcp/ip stack that runs on a microcontroller doing all kinds of checks. Use it as a firewall / IDS but one does need to write code that does constant checks on every thing. No naively written functions but managed code(meaning code that checks for everything) so to say.
It will be slow if it is checking and inspecting every packet but save and one needs to think of ways to circumvent the small amount of embedded flash, like using an external flash chip and extra sram memory.

 

[hojnikb]

I wish someone would crack the part of microcode, that controls what the cpu actually is. Ie, unlock a 4 locked i3 into a 6 core i7 (provided both use the same die). Or same thing with chipsets.

Now that would be fun. Remember good ol' days of core unlocking on amds ?

 

[hasu]

If you are willing to sacrifice raw speed, most embedded microcontrollers are not that sophisticated that they have considerable security flaws.
In theory it is a matter of writing your own tcp/ip stack that runs on a microcontroller doing all kinds of checks. Use it as a firewall / IDS but one does need to write code that does constant checks on every thing. No naively written functions but managed code(meaning code that checks for everything) so to say.
It will be slow if it is checking and inspecting every packet but save and one needs to think of ways to circumvent the small amount of embedded flash, like using an external flash chip and extra sram memory.

Most older CPUs are really under powered for any reasonable work load these days. I am not sure if these kind of (ME) vulnerability can cause problems behind a firewall (primarily with NAT protection). What about a work place environment when there are 100+ PCs running 24x7?