Remote security exploit in all 2008+ Intel platforms

[nightshade00013]

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

Basically Intel built a bug into a ton of their cpu's since around 2008 that can potentially be remotely exploited if a specific feature is turned on and locally exploited even if the feature is turned off.

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

No mention of this being an issue for Xeon's but I would not be surprised since a lot of the designs are similar between the xeon and core series.

 

[Ericloewe]

What? The ME, that huge, mysterious binary blob that hooks so deep into systems that the OS can't do anything about it can be used for nefarious purposes? Who would've guessed. /s

 

[Ericloewe]

Here's a summary:

• To nobody's surprise, the Management Engine can be repurposed to take over any machine. This is likely doable as root from the OS (in other words, it's probably accessible to the OS and not only to the system management mode).
• For remote stuff, sold under a number of weird and wonderful acronyms (vPro, SBA, ...), this can be done by a remote attacker without access to the actual host.
• "Remote stuff" is likely to include IPMI, but that part is dependent on IPMI exploits to gain access to the ME - nothing particularly new there.
• Every single Intel CPU since Nehalem is vulnerable
• rms - crazy as he may be (especially in his Saint IGNUcious persona) is right about firmware and binary blobs. It's essentially impossible to validate the security of anything below the OS layer and that is a problem.

And here's a fun fact:
This craziness relies on an embedded microprocessor inside the CPU. For whatever reason, Intel uses an ARC core. This Argonaut RISC Core is a descendant of the SuperFX coprocessor developed by Argonaut Software for the SNES, which was used for 3D graphics, sprite scaling and rotation, as well as physics-driven sprite deformation.

 

[Kevin Horton]

I couldn't find any info on Supermicro's web site about this issue, so I sent an email to their support line. They stated that neither of my two boards support Intel AMT/vPro. The boards I specifically asked about were:

• X10SL7-F, and
• X10SRH-cF

I suggested that they add an FAQ on this issue, as I doubt I am the only one wondering about it.

I haven't been able to decipher the details of the issue or what is supported by Supermicro's boards to know whether their answer is correct or not, but I'll assume it is for now. Given that both those boards have IPMI, it is quite plausible that they haven't also supported AMT, as IPMI provides somewhat similar functionality to AMT, if I understand AMT correctly.

 

[Ericloewe]

Yeah, IPMI is basically the same thing, but for servers instead of being a very client-oriented thing.

 

[Ceetan]

They appearantly relesed fixes for this for windows and linux. I find that ewwierd though, since from what I have heard, the issue lies much deeper then software or even OS. Does anyone kow if:
1) the is anything one can do to check if one isexposed to the vulnerability.
2) if there is anything that can be done to mitigate the risks, either at server level or router/network level.

 

[Ericloewe]

The real problem are the remote management thingies. If you don't have those (relatively conspicuous in the system firmware setup, I'd imagine), you're not affected to the greatest extent.

2) if there is anything that can be done to mitigate the risks, either at server level or router/network level.

Turn them off, block the relevant ports, etc.

 

[Ceetan]

All affected ports seems to be closed on the server, so that is at least something. Did you do anything specific to your server @Ericloewe ? (we have similar hardware so input would be appriciated)

 

[Ericloewe]

No, it's not affected by the specific new issue.

 

[Arkhen]

I don't mean to necro - if 9 days can be considered that- but should I be worried if I have a CPU which supports vPro; Xeon E3-1270 v5? I have the same motherboard as Ericloewe.
If yes, how do I go about fixing it? Did Super Micro address this on a BIOS level? I haven't been able to find any statements concerning this from Super Micro.

Thanks a lot in advance!

 

[Ericloewe]

It'd also need motherboard support, so it is most likely unaffected.

 

[IceBoosteR]

Just for you information, if someone run FreeNAS on a Dell T20 - a BIOS fix is available and it is very easy to update the BIOS.
Also, I have never used Intel AMT and have now a look into that. Worked like it should, but you need some extra programs for that.
Nevermind - I have tried and then I disabled this. Because I don't really need it and there is always a risk by using that.