Remote security exploit in all 2008+ Intel platforms

[dark_moon]

We all know Intel ME is a big risk, but it is even worse:
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole.

https://semiaccurate.com/2017/05/01/rem ... platforms/

Are you affected?

[wyMnNHXB]

This article is strange - all "WE KNEW WE WARNED IT IS HAPPENING" and no details except basic ME descriptions from Wikipedia.

[Fedor2]

There is exploid indeed, and intel confirmed it too.
But what about that article pursue, to hype and scare people nothing else.

Is if only a one user here who using that intel technology?

[LimboSlam]

Pretty sure my Intel Celeron features this exploit as well.

[Moonchild]

This vulnerability does not exist on Intel-based consumer PCs.

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).

An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs

In short: This applies only to provisioned PCs with specific management features enabled in the hardware. Specifically, these are the vPro processors that have been provisioned with the tech enabled already.
https://communities.intel.com/docs/DOC-5693
If you don't have this, then you're not vulnerable.
Even if you do, you're not vulnerable over the network unless this has specifically been enabled and has been exploited by either the provisioner or an attacker with physical access to your PC.

Steps to check and resolve are in intel's advisory:
https://security-center.intel.com/advis ... geid=en-fr

[Moonchild]

Pretty sure my Intel Celeron features this exploit as well.

Pretty sure it doesn't. Is your Celeron a consumer PC? then no. Is it a vPro CPU? No? then you're not vulnerable. Yes? Then you're only vulnerable if your non-consumer PC came provisioned with remote management features enabled (which requires both setup and activation) AND you have a vulnerable firmware.

[LimboSlam]

Well, my donated desktop is not a consumer PC. It was originally used in a business/corporate office. However, the remote management features have been disabled. And the firmware is about 8-10 years old. It's running Windows 7 SP1 x64.

Anyway, I talked to my bro who gave it to me and he says I not to worry about it. Also, I might just get refurbish and resell it.

[dark_moon]

The Intel remote vulnerability is much, much worse than you thought
https://www.privateinternetaccess.com/b ... e-thought/

In order to get administrator privileges to the server memory, all you needed to do was to submit a blank password field instead of the expected privileged-access password hash, and you would have unlimited and unlogged access to the entire server memory.

[Tomaso]

Well, that Vulnerability Discovery Tool didn't do me much good, as it obviously requires Intel's ME drivers to be installed, in order to work:



I've never installed that stuff, as I don't have any use for it.
In fact, I've always had the ME feature disabled on a user level in Device Manager, where it's called something as cryptic as "PCI Simple Communications Controller".

Anyway, if the security advisories issued by Intel indeed are correct, I guess I'm in the clear.

[satrow]

Your CPU has no vPro capability according to Intel: http://ark.intel.com/products/77779/Int ... o-4_00-GHz

What 'board is it on?

EDIT: this results page should list all Intel CPUs with vPro: http://ark.intel.com/products/77779/Int ... o-4_00-GHz

[Tomaso]

What 'board is it on?

The motherboard is a 'Asus Rampage IV Black Edition'.
It uses the Intel X79 chipset, which also lacks vPro support.

[satrow]

You should therefore be quite safe but check for and uninstall the AMT software and uninstall any Intel Management drivers from Device Manager - System devices should you wish to keep squeaky clean.

Tool on Majorgeeks to disable/clean out the AMT driver: http://www.majorgeeks.com/files/details ... l_amt.html

[Tomaso]

check for and uninstall the AMT software and uninstall any Intel Management drivers from Device Manager

Like I pointed out in my post with the screenshot; I've never installed any of that crap.
I've always had it disabled in Device Manager too.

[satrow]

Uninstall it from Device manager, cleaner, no reboot needed (if you're referring to the ME).

[Tomaso]

Uninstall it from Device manager, cleaner, no reboot needed (if you're referring to the ME).

Whatever you uninstall from Device Manager will simply be re-detected at next boot up.
You need to disable it!

[satrow]

On uninstall via DevMan, you should get a popup asking if you also want to delete the drivers, do so and it won't install again (in this instance, it shouldn't even leave an ! over the unknown device, it won't exist).