FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 17
  1. #1
    Join Date
    Aug 2005
    Posts
    704

    Intel Management Engine exploit

    As no one else has commented on this yet, I thought I should post this heads-up.
    I have a genuine Intel Desktop board, but I am not confident that I will see a BIOS update.

    Red alert! Intel patches remote execution hole that's been hidden in biz, server chips since 2008
    http://www.theregister.co.uk/2017/05...vulnerability/

    Intel's remote AMT vulnerablity
    http://mjg59.dreamwidth.org/48429.html

    Remote security exploit in all 2008+ Intel platforms
    https://semiaccurate.com/2017/05/01/...tel-platforms/

    https://isc.sans.edu/forums/diary/Do...SA00075/22364/

    INTEL-SA-00075 Mitigation Guide
    https://downloadcenter.intel.com/download/26754
    INTEL-SA-00075 Detection Guide
    https://downloadcenter.intel.com/download/26755

  2. #2
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    5,530

    Re: Intel Management Engine exploit

    I read through those documents earlier. In summary, be aware and by all means check if you know what you are looking for. However, if your machine is not a business orientated product with a vPro processor don't be too concerned.

    Unless you activated AMT yourself you are not typically at risk, also you can block the affected ports for all traffic in any firewall program.

    the risk is greater where more than one user has access to the machine, e.g. a workplace scenario.

    consumer hardware is not generally affected as most do not have vPro processors or the affected chipsets.

    exposure to the threat via linux systems is as of yet unconfirmed in any detail if it even exists.

  3. #3
    Join Date
    Jan 2015
    Location
    Al Ain, UAE
    Posts
    747

    Re: Intel Management Engine exploit

    Note that a software firewall program on the affected machine will not help, since the little processor gets first dibs on the data before the main processor.
    --
    Have fun!
    http://www.aeronetworks.ca

  4. #4
    Join Date
    Aug 2005
    Posts
    704

    Re: Intel Management Engine exploit

    As I understand it, the bug is in the ME firmware that runs on the ME processor and I do have that firmware.

    I have a desktop system which, ostensibly, does not have the AMT firmware. I do not know if the firmware is present but switched off and not visible to the BIOS interface or not present at all, which would be preferable.

    In principle, I should not be vulnerable and my modem/router claims to block all inbound services anyway.
    I do not want to have to go to these extremes:
    https://hardenedlinux.github.io/firm...ivybridge.html

    However, there are people who post here with intel laptops and thinkpads, which, if I understand correctly, will have, at least, local vulnerability and possibly network vulnerability, and people who run small networks and servers. I would suspect they have a problem.

    As some people commented in those links, there are many business targeted laptops in the hands of general or home users.

    The reason I posted in Wibble is that this has absolutely nothing to do with the OS.

  5. #5
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    5,530

    Re: Intel Management Engine exploit

    Mitigation steps for Windows OS 7-10
    Steps taken from the Intel-SA-00075 Mitigation Guide

    1. Open a command prompt with admin rights and check if the LMS service is installed and running

    Code:
    sc qc LMS
    If it comes back stating "the specified service does not exist as an installed service" you are not affected by this issue.

    If however, it finds an LMS service proceed to step 2.

    2. Disable Windows from starting and running LMS as a service

    Code:
    sc config LMS start=disabled
    3. Remove the LMS service itself

    Code:
    sc delete LMS
    4. Uninstall Intel Management Engine Components

    Do this from the Control Panel's Add/Remove programs as per normal. If prompted to reboot, do it.

    5. Check in Windows Explorer for any left overs in the C:\Programs\Intel or if your Windows is 64-bit the C:\Programs(x86)\Intel\ folder. Any sub-directory named Intel Management Engine... should now be deleted.

    If you aren't sure of the exact location, open the file C:\Intel\Logs\AMTLog.txt and scroll towards the end to see where the LMS file was stored and supposedly removed from.

    6. You can also check in UEFI or BIOS for the ME subsystem entry. Some (not all) allow it to be disabled. It isn't recommended to just disable this without turning LMS off at service level in Windows first as it causes problems with some systems. Additionally, if the operating system service is left active then disabling ME in BIOS has no effect as it can be remotely turned back on again.

    Notes -

    Don't try the above with Powershell in W10 as it fails to parse the sc command properly. Instead press the start button and type cmd.exe. right click the command prompt app and run that as admin.

    Run the command in step 1 again when you are finished to make sure there are no LMS services running. It should return the "does not exist" message.

    Step 2 for some reason didn't work in W7 on one 32-bit install. However the service was deleted successfully since it wasn't actually running.

  6. #6
    Join Date
    Aug 2005
    Posts
    704

    Re: Intel Management Engine exploit

    If anyone is monitoring this thread, The Register has a followup:
    http://www.theregister.co.uk/2017/05...emote_exploit/
    and commenter gerdesj offers this from LWN:
    Intel's zero-day problem
    https://lwn.net/SubscriberLink/721586/9fc716f85d5cab39/

  7. #7
    Join Date
    Jan 2015
    Location
    Al Ain, UAE
    Posts
    747

    Re: Intel Management Engine exploit

    You can scan for vulnerable machines on your LAN like this:

    # nmap -p16992,16993,16994,16995,623,664 192.168.1.0/24

    If you have a network firewall with an ARM processor and a default DROP policy, then you will be OK against an external attack.

    Kudos if your network firewall device runs OpenBSD on ARM.
    --
    Have fun!
    http://www.aeronetworks.ca

  8. #8
    Evil_Bert's Avatar
    Evil_Bert is offline Retired Again - Administrator
    Join Date
    Nov 2007
    Location
    .
    Posts
    3,437

    Re: Intel Management Engine exploit

    You can turn it all off in BIOS/EFI, well, on my machines anyway, which is the first thing I did, way before the exploit was known.

    Quote Originally Posted by flyingdutchman
    Kudos if your network firewall device runs OpenBSD on ARM.
    Do I still get kudos if I run pfSense (FreeBSD based) on an AMD Geode?
    Marching to the beat of his own conundrum.

  9. #9
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    5,530

    Re: Intel Management Engine exploit

    Bert, it can be turned back on in UEFI with remote code execution.

    What I found this month when Windows Update ran was this. Having removed IME completely it downloaded an old driver from 2012 for the chips even though I have download drivers from windows update turned off. So I re-installed the newer Intel driver provided by the hardware manufacturer and applied the same un-provision steps 1-3 above again. this time instead of deleting the IME packages I have just renamed LMS.EXE to disabledLMS.EXE and windows cannot find the LMS service when running sc qc LMS.

  10. #10
    Evil_Bert's Avatar
    Evil_Bert is offline Retired Again - Administrator
    Join Date
    Nov 2007
    Location
    .
    Posts
    3,437

    Re: Intel Management Engine exploit

    Thanks for those tips. As it happens, I don't run Windows on those machines, and they're not internet-exposed. Besides, if someone has already achieved system-level remote code execution, I'm basically already fracked.
    Last edited by Evil_Bert; 12th May 2017 at 02:34 PM.
    Marching to the beat of his own conundrum.

  11. #11
    Join Date
    Aug 2005
    Posts
    704

    Re: Intel Management Engine exploit

    This just gets more entertaining

    Intel ME controller chip has secret kill switch
    http://www.theregister.co.uk/2017/08...n_be_disabled/
    http://blog.ptsecurity.com/2017/08/d...-intel-me.html

  12. #12
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    5,530

    Re: Intel Management Engine exploit

    from the second link:
    Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.
    Thanks, but no thanks...

  13. #13
    Evil_Bert's Avatar
    Evil_Bert is offline Retired Again - Administrator
    Join Date
    Nov 2007
    Location
    .
    Posts
    3,437

    Re: Intel Management Engine exploit

    Yet more exploits discovered in Intel's Management Engine ...

    https://www.theregister.co.uk/2017/1...irmware_flaws/
    Marching to the beat of his own conundrum.

  14. #14
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    5,530

    Re: Intel Management Engine exploit

    oh joy...

    I can't say it wasn't entirely unexpected reading though. at first I thought they'd just republished news about the same exploit as before.

  15. #15
    Join Date
    Aug 2005
    Posts
    704

    Re: Intel Management Engine exploit

    I was just watching a video at http://armdevices.net/ with Jon Masters.
    I wonder if Cavium and Qualcomm will be rubbing their hands with glee.

Page 1 of 2 1 2 LastLast

Similar Threads

  1. Zero day exploit
    By b4time in forum Using Fedora
    Replies: 5
    Last Post: 27th January 2016, 06:02 AM
  2. Shared Memory Management (Intel Video)
    By Johnny England in forum Hardware & Laptops
    Replies: 0
    Last Post: 5th August 2008, 04:11 PM
  3. Possible exploit
    By glennzo in forum Security and Privacy
    Replies: 5
    Last Post: 7th January 2008, 06:50 PM
  4. SSH exploit attempts
    By CountryGirl in forum Security and Privacy
    Replies: 10
    Last Post: 6th September 2006, 09:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •