1 2 Previous Next 23 Replies Latest reply on Jan 16, 2018 1:00 PM by N.Scott.Pearson Go to original post
      • 15. Re: Intel-SA-00086
        N.Scott.Pearson

        Update: another Intel Management Engine (ME) vulnerability, specific to Intel Active Management Technology (AMT), was reported today...

         

        This vulnerability exists because of the way that the ME BIOS Extension (MEBx) is invoked by the BIOS. In a physical access scenario, it will allow someone access to the ME configuration regardless of BIOS password. If the password for AMT has not been changed by the system owner (or their IT department), then an attacker could take over control of AMT, set it up for remote access and then change the password (locking out the owner). The attacker would then remotely access the machine and have access to anything they want (the ultimate leaky machine).

         

        The fix for this issue is to implement support, within the BIOS, so that MEBx cannot be invoked unless the BIOS Administrative password is provided.

         

        All users who have vPro-enabled PCs, should (1) ensure that they set the AMT Password and (2) ensure that they set a BIOS Administrative Password. Having the AMT password set will protect against this vulnerability until a BIOS update delivers a fix for this vulnerability.

         

        For vPro-enabled systems, when you combine the original AMT vulnerabilities (INTEL-SA-00075, announced back in May) with INTEL-SA-00086 (ME vulnerabilities announced back in November), INTEL-SA-00088 (Meltdown and Spectre) and this new vulnerability, the only way that they can all be completely addressed is via a BIOS that delivers a fix for this vulnerability, the appropriate microcode update (for INTEL-SA-00088) and updated ME firmware (for INTEL-SA-00086).

         

        For non-vPro systems, which are not affected by INTEL-SA-00075 nor by this new vulnerability, you *still* need a BIOS update that delivers the appropriate microcode update (for INTEL-SA-00088) and updated ME firmware (for INTEL-SA-00086).

         

        Folks have asked about disabling the ME. The ME cannot be completely disabled because part of its functionality is processor initialization. It can be stopped from running after this initialization is complete, however. Intel has warned that, because the ME vulnerabilities are present in the processor initialization functionality, disabling the ME does not alleviate the need for the ME firmware fixes for INTEL-SA-00086; you are thus going to need an updated BIOS providing the updated firmware no matter what. Intel has also warned that, depending upon the method used, this can be a permanent operation. Cleanly disabling the ME is only possible if the BIOS actually provides support for doing exactly this. For folks interested in this capability, you will most likely need an updated BIOS to get this capability (unless support for the HAP program already exists in the BIOS; see here for more information). If you have this capability and you disable the ME, all included and dependent technologies (there is a long list) will also be disabled.

         

        Hope this explains things fully. It is becoming a dizzying nightmare...

        ...S

        • 16. Re: Intel-SA-00086
          wpshooter

          Scott:

           

               I am not exactly understanding the inclusion of the below statement in the article in the link that you posted.

           

          Update - Intel has told ZDNet: "Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology."

           

               Am I misunderstanding all this or is IME combined with AMT exactly the thing that the above statement claims they (Intel) won't do ?  Are they saying that because they are providing the technology to computer manufacturers who are then IMPLEMENTING it ?

           

               Thanks.

          • 17. Re: Intel-SA-00086
            wpshooter

            "It is becoming a dizzying nightmare..."

             

            As my dear departed dad used to say, That hit the nail right on the head.

             

            It has for a long time become my personal opinion that anyone who uses any electronic device for

            doing anything that might be of a confidential nature is a #$)#(@(@ -  fool !!!

            • 18. Re: Intel-SA-00086
              wpshooter

              Scott:

               

              Is there a possibility that there may ALREADY be some "parameter" within the extended BIOS settings of my computer

              which would accomplish the "reserve_hap" flag setting, thus disabling ME ?

               

              The reason I ask is because when I disabled the Intel ME control state parameter then when the computer rebooted

              the function which controls the fan speed, etc. was no longer working, i.e. the fan was on full speed which made the

              machine much louder than normal (there is a parameter related to this in my extended BIOS.

              I ask this even though the description of the ME control state parameter in the writeup I found on the Internet suggests

              that changing that parameter does NOT actually disable the IME.

               

              Thanks.

              • 19. Re: Intel-SA-00086
                N.Scott.Pearson

                These idiots are screaming for more transparency. Intel will not give them that under any circumstances; it is against Intel policies to do so. The ME (and AMT) are closed systems for a darned good reason: security requires it. They say how can Intel be trusted if they cannot look at the code? Well, Intel regularly has the code properly audited by external agencies. Intel tightly controls who it is that performs these audits because this is the way it has to be if security is to be kept. In addition to this being so critical to security, it is also important to Intel because the ME is IP. They are going to naturally want to minimize the people seeing the code. IMHO, those that are screaming the loudest are the ones that are not knowledgeable enough (or disciplined enough) about security practices to ever be considered for access to the source.

                 

                It is unfortunate that these vulnerabilities exist and that there are ways for these vulnerabilities to be exploited to open back doors. This certainly wasn't on purpose. The right answer is to close the vulnerabilities, not overreact and do something stupid like disable the ME. Actually, the better right answer is to not create these vulnerabilities in the first place, but Intel missed the boat on that. Oops, there I go being unfair in retrospect in my retirement. The fact is, for a number of years I was part of the teams working on the ME (I owned Intel Quiet System Technology (QST)), I took part in many security reviews and I missed these vulnerabilities just like the rest of them did, so shame on me too.

                 

                ...S

                • 20. Re: Intel-SA-00086
                  N.Scott.Pearson

                  Is there a chance you have a system with HAP support in the BIOS? Yea, its possible, but I don't know enough about it to be able to tell you how.

                  ...S

                  • 21. Re: Intel-SA-00086
                    N.Scott.Pearson

                    Wait a minute. You lost FSC? How old is your system? They kicked QST out of the ME after the 5 Series chipset. It your system is that old, I would be more inclined to doubt that there is any chance of support for HAP being present.

                    ...S

                    • 22. Re: Intel-SA-00086
                      wpshooter

                      Yes, my system IS old but it does everything that I need it to do very well.

                       

                      Do you have any idea as to what or how the HAP parameter/feature would be named in the extended BIOS ?

                       

                      Thanks.

                      • 23. Re: Intel-SA-00086
                        N.Scott.Pearson

                        Sorry, I don't have any clue. I have never worked with a BIOS that supported it. Perhaps Intel Customer Support can contact the BIOS Security Team and find out.

                        ...S

                        1 2 Previous Next