Intel AMT/ME Vulnerability widely reported

[herby]

Good chance most folks in the forums have heard; but apparently there is a vulnerability in Intel's Management Engine found on vPro platforms.

Depending on who you read this problem is either bad, or catastrophic:
Red alert! Intel patches remote execution hole that's been hidden in biz, server chips since 2008

Remote security exploit in all 2008+ Intel platforms - SemiAccurate
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
and Intel's advisory here:
Intel® Product Security Center

Might be worth keeping an eye out for this one.

 

[Terry Kennedy]

That just speaks of the scope of this. That's multiple generations over nearly a 9 year period.

If the source code was available (even just to trusted OEM partners) this might have been found sooner. But with the explosion of the Internet of [insecure] Things, more people are going to be examining all code more closely. Lots of stuff uses older libraries with known security problems, so simply scanning for signatures of compiled libraries may expose additional flaws.

It is possible that one result of all this stuff will be a legal requirement for updates to be made available for an extended period of time after sale of a product ceases. My guess is that if this happens, it will start in the EU. Here in the US, the smartphone you buy with a 2-year phone service contract will likely stop getting security fixes before you're out-of-contract.

This bug reminds me of the classic VNC security hole:

Bad guy: Connection, please?
VNC server: I offer the following password algorithms...
Bad guy: None of the above, thanks
VNC server: Welcome!

 

[Biren78]

Doesn't AMT only work if it's enabled? And its only on some Core i7 and i5 parts? And doesn't AMT usually use its own network address? I tried AMT and vPro and it had a different IP address like IPMI when you've set a shared NIC.

I don't really get why this is so big? Like IPMI we all know has holes.

Where are the reports of major breaches by the security cos if this was reported years ago? How didn't anyone exploit it?

I don't think its good but everything we use has security flaws. yum upgrade on a weekly basis and see how many are getting security upgrades.

 

[nitrobass24]

Doesn't AMT only work if it's enabled? And its only on some Core i7 and i5 parts? And doesn't AMT usually use its own network address? I tried AMT and vPro and it had a different IP address like IPMI when you've set a shared NIC.

I don't really get why this is so big? Like IPMI we all know has holes.

Where are the reports of major breaches by the security cos if this was reported years ago? How didn't anyone exploit it?

I don't think its good but everything we use has security flaws. yum upgrade on a weekly basis and see how many are getting security upgrades.

AMT has been on parts since the Nehalem architecture, so roughly 9 years.
By default, AMT is usually enabled. Only need to have power and ethernet.
Yes it is only are certain chipsets (business oriented chipsets), at my company everyone (30k users has a computer with this functionality).

Happy to go into details on this if people are interested, but here is a pretty simple to understand explanation of it.
Explained — How Intel AMT Vulnerability Allows to Hack Computers Remotely

 

[Biren78]

@nitrobass24 so how many raises, approved vacations, firings and other mass hysteria have people just about to be leaving your company sent?

 

[Stephan]

From factory AMT is in a state called "unconfigured", which also implies that there is no IP-address configured that could be accessed. Configuration is usually done by pressing Ctrl-P when BIOS is initializing or by preparing a special USB thumb drive with a config file and booting with that or by using Intel AMT utilities in Windows.

I think this is only exploitable once you have configured AMT. Of course the Management Engine (ME) is still running in the ICH chip (ARC, Sparc or lately x86 core) but imho this is not exploitable. What's more, only Q- and C-chipsets usually have an AMT license, see Intel AMT versions - Wikipedia.

For those using it, it is of course a major major security flaw, because with access to e.g. the AMT web interface you can usually do all sorts of stuff like change the password, pull up keyboard video and mouse through RealVNC Viewer Plus or similar, etc.

 

[nitrobass24]

@nitrobass24 so how many raises, approved vacations, firings and other mass hysteria have people just about to be leaving your company sent?

Ha not my problem!

 

[Biren78]

Ha not my problem!

Does your company get interns? You'll have a problem.

 

[Terry Kennedy]

Doesn't AMT only work if it's enabled?

It depends on the system. If (for example) you order a few hundred OptiPlex systems from Dell (as many large companies do) you can get it preconfigured however you like, along with your custom OS image and whatever else you want.

And its only on some Core i7 and i5 parts?

Nope. My OptiPlex 755 and 960 have it and they're Core 2 parts (Q6600 / Q9650). From one of my systems' build sheets:

1 310-9494 iAMT Advanced Hardware EnabledSystems Management, Dell OptiPlex $0.00

And doesn't AMT usually use its own network address? I tried AMT and vPro and it had a different IP address like IPMI when you've set a shared NIC.

It depends on how it is configured. It can use the same IP as the host operating system, since it pulls packets directly from the LAN controller if they are for ports it listens on. I believe that at least some versions also do DHCP, or at least sniff the DHCP lease when it comes in.

I don't really get why this is so big? Like IPMI we all know has holes.

IPMI usually has hardware the user/admin can configure. And it often uses a dedicated LAN port so it is easier to segment IPMI traffic.

Where are the reports of major breaches by the security cos if this was reported years ago? How didn't anyone exploit it?

Why do you think anyone exploiting it for the past 9 years would be bragging about it? Maybe it was one of the things in the NSA's bag of tricks that wasn't disclosed yet.