Fedora Linux Support Community & Resources Center
  #1  
Old 2nd May 2017, 04:40 PM
kldixon Offline
Registered User
 
Join Date: Aug 2005
Posts: 637
linuxfedorafirefox
Intel Management Engine exploit

As no one else has commented on this yet, I thought I should post this heads-up.
I have a genuine Intel Desktop board, but I am not confident that I will see a BIOS update.

Red alert! Intel patches remote execution hole that's been hidden in biz, server chips since 2008
http://www.theregister.co.uk/2017/05...vulnerability/

Intel's remote AMT vulnerablity
http://mjg59.dreamwidth.org/48429.html

Remote security exploit in all 2008+ Intel platforms
https://semiaccurate.com/2017/05/01/...tel-platforms/

https://isc.sans.edu/forums/diary/Do...SA00075/22364/

INTEL-SA-00075 Mitigation Guide
https://downloadcenter.intel.com/download/26754
INTEL-SA-00075 Detection Guide
https://downloadcenter.intel.com/download/26755
Reply With Quote
  #2  
Old 2nd May 2017, 09:29 PM
antikythera Offline
Administrator
 
Join Date: Dec 2013
Location: United Kingdom
Posts: 4,307
windows_7chrome
Re: Intel Management Engine exploit

I read through those documents earlier. In summary, be aware and by all means check if you know what you are looking for. However, if your machine is not a business orientated product with a vPro processor don't be too concerned.

Unless you activated AMT yourself you are not typically at risk, also you can block the affected ports for all traffic in any firewall program.

the risk is greater where more than one user has access to the machine, e.g. a workplace scenario.

consumer hardware is not generally affected as most do not have vPro processors or the affected chipsets.

exposure to the threat via linux systems is as of yet unconfirmed in any detail if it even exists.
__________________
Latest survey shows that 3 out of 4 people make up 75% of the world's population - Stephen Hawking
Download, Install and Share Fedora
- Official ISO Torrents
| Live ISO Respins containing post-release updates
Reply With Quote
  #3  
Old 3rd May 2017, 03:57 AM
flyingdutchman Offline
Registered User
 
Join Date: Jan 2015
Location: Al Ain, UAE
Posts: 635
macosfirefox
Re: Intel Management Engine exploit

Note that a software firewall program on the affected machine will not help, since the little processor gets first dibs on the data before the main processor.
__________________
--
Have fun!
http://www.aeronetworks.ca
Reply With Quote
  #4  
Old 3rd May 2017, 09:47 AM
kldixon Offline
Registered User
 
Join Date: Aug 2005
Posts: 637
linuxfedorafirefox
Re: Intel Management Engine exploit

As I understand it, the bug is in the ME firmware that runs on the ME processor and I do have that firmware.

I have a desktop system which, ostensibly, does not have the AMT firmware. I do not know if the firmware is present but switched off and not visible to the BIOS interface or not present at all, which would be preferable.

In principle, I should not be vulnerable and my modem/router claims to block all inbound services anyway.
I do not want to have to go to these extremes:
https://hardenedlinux.github.io/firm...ivybridge.html

However, there are people who post here with intel laptops and thinkpads, which, if I understand correctly, will have, at least, local vulnerability and possibly network vulnerability, and people who run small networks and servers. I would suspect they have a problem.

As some people commented in those links, there are many business targeted laptops in the hands of general or home users.

The reason I posted in Wibble is that this has absolutely nothing to do with the OS.
Reply With Quote
  #5  
Old 3rd May 2017, 10:27 PM
antikythera Offline
Administrator
 
Join Date: Dec 2013
Location: United Kingdom
Posts: 4,307
windows_98_nt_2000chrome
Re: Intel Management Engine exploit

Mitigation steps for Windows OS 7-10
Steps taken from the Intel-SA-00075 Mitigation Guide

1. Open a command prompt with admin rights and check if the LMS service is installed and running

Code:
sc qc LMS
If it comes back stating "the specified service does not exist as an installed service" you are not affected by this issue.

If however, it finds an LMS service proceed to step 2.

2. Disable Windows from starting and running LMS as a service

Code:
sc config LMS start=disabled
3. Remove the LMS service itself

Code:
sc delete LMS
4. Uninstall Intel Management Engine Components

Do this from the Control Panel's Add/Remove programs as per normal. If prompted to reboot, do it.

5. Check in Windows Explorer for any left overs in the C:\Programs\Intel or if your Windows is 64-bit the C:\Programs(x86)\Intel\ folder. Any sub-directory named Intel Management Engine... should now be deleted.

If you aren't sure of the exact location, open the file C:\Intel\Logs\AMTLog.txt and scroll towards the end to see where the LMS file was stored and supposedly removed from.

6. You can also check in UEFI or BIOS for the ME subsystem entry. Some (not all) allow it to be disabled. It isn't recommended to just disable this without turning LMS off at service level in Windows first as it causes problems with some systems. Additionally, if the operating system service is left active then disabling ME in BIOS has no effect as it can be remotely turned back on again.

Notes -

Don't try the above with Powershell in W10 as it fails to parse the sc command properly. Instead press the start button and type cmd.exe. right click the command prompt app and run that as admin.

Run the command in step 1 again when you are finished to make sure there are no LMS services running. It should return the "does not exist" message.

Step 2 for some reason didn't work in W7 on one 32-bit install. However the service was deleted successfully since it wasn't actually running.
__________________
Latest survey shows that 3 out of 4 people make up 75% of the world's population - Stephen Hawking
Download, Install and Share Fedora
- Official ISO Torrents
| Live ISO Respins containing post-release updates
Reply With Quote
  #6  
Old 6th May 2017, 02:04 PM
kldixon Offline
Registered User
 
Join Date: Aug 2005
Posts: 637
linuxfedorafirefox
Re: Intel Management Engine exploit

If anyone is monitoring this thread, The Register has a followup:
http://www.theregister.co.uk/2017/05...emote_exploit/
and commenter gerdesj offers this from LWN:
Intel's zero-day problem
https://lwn.net/SubscriberLink/721586/9fc716f85d5cab39/
Reply With Quote
  #7  
Old 6th May 2017, 02:19 PM
flyingdutchman Offline
Registered User
 
Join Date: Jan 2015
Location: Al Ain, UAE
Posts: 635
macosfirefox
Re: Intel Management Engine exploit

You can scan for vulnerable machines on your LAN like this:

# nmap -p16992,16993,16994,16995,623,664 192.168.1.0/24

If you have a network firewall with an ARM processor and a default DROP policy, then you will be OK against an external attack.

Kudos if your network firewall device runs OpenBSD on ARM.
__________________
--
Have fun!
http://www.aeronetworks.ca
Reply With Quote
  #8  
Old 11th May 2017, 10:04 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: .
Posts: 3,404
linuxubuntufirefox
Re: Intel Management Engine exploit

You can turn it all off in BIOS/EFI, well, on my machines anyway, which is the first thing I did, way before the exploit was known.

Quote:
Originally Posted by flyingdutchman View Post
Kudos if your network firewall device runs OpenBSD on ARM.
Do I still get kudos if I run pfSense (FreeBSD based) on an AMD Geode?
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #9  
Old 11th May 2017, 10:24 AM
antikythera Offline
Administrator
 
Join Date: Dec 2013
Location: United Kingdom
Posts: 4,307
linuxchrome
Re: Intel Management Engine exploit

Bert, it can be turned back on in UEFI with remote code execution.

What I found this month when Windows Update ran was this. Having removed IME completely it downloaded an old driver from 2012 for the chips even though I have download drivers from windows update turned off. So I re-installed the newer Intel driver provided by the hardware manufacturer and applied the same un-provision steps 1-3 above again. this time instead of deleting the IME packages I have just renamed LMS.EXE to disabledLMS.EXE and windows cannot find the LMS service when running sc qc LMS.
__________________
Latest survey shows that 3 out of 4 people make up 75% of the world's population - Stephen Hawking
Download, Install and Share Fedora
- Official ISO Torrents
| Live ISO Respins containing post-release updates
Reply With Quote
  #10  
Old 12th May 2017, 10:12 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: .
Posts: 3,404
linuxubuntufirefox
Re: Intel Management Engine exploit

Thanks for those tips. As it happens, I don't run Windows on those machines, and they're not internet-exposed. Besides, if someone has already achieved system-level remote code execution, I'm basically already fracked.
__________________
Marching to the beat of his own conundrum.

Last edited by Evil_Bert; 12th May 2017 at 02:34 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Zero day exploit b4time Using Fedora 5 27th January 2016 05:02 AM
Shared Memory Management (Intel Video) Johnny England Hardware & Laptops 0 5th August 2008 04:11 PM
Possible exploit glennzo Security and Privacy 5 7th January 2008 05:50 PM
SSH exploit attempts CountryGirl Security and Privacy 10 6th September 2006 09:16 PM


Current GMT-time: 09:13 (Thursday, 29-06-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat