Jan Marco, jij schrijft:
Enerzijds. Anderzijds, waarover ‘large companies’ met ‘corporate power’ kunnen beschikken …
‘Umbrella marketing term’, “vPro inside”, geen Nederlandse beschrijving in Wikipedia:
Intel - Active Management Technology
Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed. The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.
Degelijk beveiligd, ja:
Security
Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.
Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.
Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.
Degelijk beveiligd, nee:
Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date by the operating system’s normal update mechanism. Security defects in the AMT software can therefore be particularly severe, as they will remain long after they have been discovered and become known to potential attackers.
In 2017, Intel confirmed that certain Intel computers have had a critical privilege escalation vulnerability (CVE-2017-5689).
The vulnerability, which was nicknamed “Silent Bob is Silent” by the researchers who had reported it to Intel, affects numerous laptops, desktops and servers sold by Dell, Hewlett-Packard, Intel, Lenovo, and possibly other manufacturers as well.
The vulnerability was described as giving remote attackers:
Full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data.
Wikipedia had eerst, “al 9 jaar”, maar heeft dat nu aangepast, andere websites zoals Ars Technica ook:
Intel patches remote code-execution bug that lurked in CPUs for 10 years
Flaw in remote management feature gives attackers a way to breach networks.
Niet vanaf 2008 maar 2010:
Intel patches remote hijacking vulnerability that lurked in chips for 7 years
Flaw in remote management feature gives attackers a way to breach networks.
Iemand bij Slashdot noemt het een matroesjka, houten poppetje dat opengeschroefd kan worden en waarbinnen weer een poppetje:
Intel’s remote AMT vulnerablity
Intel chipsets for some years have included a Management Engine, a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT is another piece of software running on the ME, albeit one that takes advantage of a wide range of ME features.
When AMT is enabled, any packets sent to the machine’s wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console. Access to AMT requires a password - the implication of this vulnerability is that that password can be bypassed.
Als je spullen zo uitgeleverd worden kan je er in het slechtste geval gewoon in met “admin” en “P@ssw0rd”, beweren ze bij Intel zelf:
Local access to the Intel AMT Web UI
Example: http://192.168.0.100:16992
En anders, volgens de ontdekkers van deze mogelijke en dan al jarenlang bestaande “hardware backdoor”:
Reverse-engineering the firmware
The part where the call to strncmp() occurs seems most interesting here:
if(strncmp(computed_response, user_response, response_length))
exit(0x99);
The value of the computed response, which is the first argument, is being tested against the one
that is provided by user, which is the second argument, while the third argument is the length of
the response. It seems quite obvious that the third argument of strncmp()
should be the length of
computed_response
, but the address of the stack variable response_length
, from where the
length is to be loaded, actually points to the length of the user_response
!
Given an empty string the strncmp()
evaluates to zero thus accepting and invalid response as a valid
one.
No doubt it’s just a programmer’s mistake, but here it is: keep silence when challenged and you’re in.
“Meet Intel’s hardware backdoor”, behalve dat er al eerder werd getwijfeld aan de potdichtheid ervan, 2010:
Gratis hardware rootkit
The Intel AMT platform can provide the basis for secretly operating a platform’s hardware based on a backdoor, since its included in a prominent fraction of PCs (desktop and notebooks) servers, POS, embedded systems and even ATMs.
By design the AMT architecture uses a separate OOB channel independent of any network traffic transmitted to and from the other parts of the computer. Therefore this interface provides a covert communication channel that introduce a set of issues: allowing malicious parties to perform surveillance, to monitor, to carry out espionage, and fully control a system.
Malicious parties include government agencies, individual attackers, and industries. A catalytic factor for this powerful backdoor arises from the functionality of AMT architecture that was designed to operate and perform remote management, even though the system is turned off.
En een ‘responsible disclosure’ werd uitgesteld tot begin mei:
The Intel AMT vulnerability was detected in mid-February of this year, feared releasing the details before it was fixed would spark attacks on Intel AMT business users …
Toch al eerder enige activiteit:
En nu? Sowieso zegt Intel, alleen “zakelijke” machine’s en servers:
This vulnerability does not exist on Intel-based consumer PC
Maar PhD.(?) Vassilios Ververis weer daarover in 2010:
Customers and end users lack knowledge of this backdoor (i.e. AMT) when they buy a PC that includes the AMT platform. This can potentially lead to havoc should there be a well publicized attack that would make them concerned about their privacy and ability to control their own computers.
Since AMT is enabled by default in many computers and the end user often lacks technical expertise this leads to unexpected vulnerabilities for the user.
Unfortunately today AMT is shipped on “home” PCs and as we previously discussed the insecurities of this embedded device are scary, especially as IT administrators, end customers of PCs, notebooks, and servers are unfamiliar with this technology, thus malicious persons could remotely manipulate these systems.
Heb ik dat:
How To Find Intel vPro Systems
Listed below are four different methods to help detect Intel vPro Technology systems and the Intel AMT firmware versions. You may need to try several methods to identify all the Intel vPro systems. After you have identified a PC as Intel vPro capable using one method you do not need to test it using the other methods.
Gympies:
Method 1: Walk around and look for the Intel® vPro™ badge
The simplest approach to finding most of the Intel vPro Technology systems is to look for the Intel® vPro™ badge. This method works best when you have a small number of systems and you can easily inspect each one.
Zoja, testen:
INTEL-SA-00075 Detection Guide - Available Downloads
The INTEL-SA-00075 Discovery Tool can be used by local users or an IT administrator to determine whether a system is vulnerable to the exploit documented in Intel Security Advisory INTEL-SA-00075.
It is offered in two versions. The first is an interactive GUI tool that, when run, discovers the hardware and software details of the device and provides indication of risk assessment. This version is recommended when local evaluation of the system is desired.
The second version of the Discovery Tool is a console executable that saves the discovery information to the Windows* registry and/or to an XML file. This version is more convenient for IT administrators wishing to perform bulk discovery across multiple machines to find systems to target for firmware updates or to implement mitigations.
Remedie:
How to mitigate the Intel escalation of privilege vulnerability
There are two ways to fix the issue “properly”:
- upgrade the firmware, once your system’s manufacturer provides an update (if ever);
- avoid using the network port providing AMT, if possible (many AMT workstations, such as C226 Xeon E3 systems with i210 network ports, have only one AMT-capable network interface — the rest are safe; note that AMT can work over wi-fi, so that mitigation isn’t necessarily available for laptops).
If neither of these options is available, you’re in mitigation territory. If your AMT-capable system has never been provisioned for AMT, then you’re reasonably safe; enabling AMT in that case can apparently only be done locally, and as far as I can tell requires using your system’s firmware or Windows software. If AMT is enabled, you can reboot and use the firmware to disable it (press Ctrl-P
when the AMT message is displayed during boot).
OK, stond al uitgezet. Nog weer een ander .Net-gevalletje om nog een keer een controlerondje te doen:
IntelAMTDetector Version [1.0.0.11]
Starting detection on machine [127.0.0.1]
Checking if Intel AMT available on this system? [Available!]
AMT Version : [Version [9:1] State [Pre Factory Setup Mode]]
Communicating with AMT... {Skipping as not enabled/available}
Checking if Intel Management Engine Components running:-
Intel LMS (Local Management Service) : [Not Found]
MicroLMS (Intel Mesh Service) : [Not Found]
Recommended Actions:-
>> AMT is available on this system, but has not been configured/enabled,
no action required.
Press any key to exit...
Eventueel nog scannen als zo’n service loopt:
Checking if Intel Management Engine Components running:-
Intel LMS (Local Management Service) : [ Installed, State: [Running] ]
Port (16992, Closed)
Port (16993, Closed)
Port (16994, Closed)
Port (16995, Closed)
Port (623, Closed)
Port (664, Closed)
Voor de die-hards onder ons - JM, ik geloof dat jij wordt geroepen - aan laten staan en een waarlijk publiek toegankelijk netwerk scheppen:
Intel® Mesh Networking Tools
A generic peer-to-peer mesh networking project. It’s a small software that when installed on many computer forms a mesh of computers with each one monitoring the others and propagating information about nodes efficiently.
This project is open source under the Apache 2.0 license. The mesh agent software is entirely written in C with supporting control applications in C#. The agent and control applications run on Windows and Linux, 32/64bit, IPv4 & IPv6.
MONO is required to run the control applications on Linux. These mesh tools can optional be used along with our experimental cloud server at meshcentral.com.