Author Topic: Massive vulnerability in Intel CPUs with the IME (Read 5259 times)

Metario · May 03, 2017, 01:45:25 AM

Quote from: rambo1220 on May 03, 2017, 01:08:06 AM

someone explain to me like I'm a lil boyo what the forget is going on here.

like, what is vulnerable, how is it, why is it, and what does it affect.

Every Intel CPU produced in the past 9 years- however it's only vulnerable from the network if you have vPro or AMT on your system/enabled. Without it on your system- an attacker can still gain access to it, however they'll have to run a specially crafted program on your PC to get access first.

Ad Bot · Advertisement

rambo1220 · May 03, 2017, 01:50:52 AM

So now is this a gate into your entire system via the CPU, or just being able to forget with the CPU?

Ipquarx · May 03, 2017, 01:56:37 AM

Quote from: rambo1220 on May 03, 2017, 01:50:52 AM

So now is this a gate into your entire system via the CPU, or just being able to forget with the CPU?

Entire system. It's essentially allowing an attacker to execute arbitrary code.

CRITAWAKETS · May 03, 2017, 08:12:59 AM

This is easy to fix, nothing to worry about. You guys just prefer AMD and apocalyptic words to make your news more spicy.

Just update the firmware on your server CPUs. You should do that regularily anyway.

Insert Name Here² · May 03, 2017, 09:02:57 AM

Quote from: CRITAWAKETS on May 03, 2017, 08:12:59 AM

You guys just prefer AMD and apocalyptic words to make your news more spicy.

Ahahahaha monday what hahaah

Metario · May 03, 2017, 09:17:29 AM

Quote from: CRITAWAKETS on May 03, 2017, 08:12:59 AM

This is easy to fix, nothing to worry about. You guys just prefer AMD and apocalyptic words to make your news more spicy.

Just update the firmware on your server CPUs. You should do that regularily anyway.

Yeah implying rolling firmware out to thousands of servers isn't going to cause any downtime.. Theres also the fact that anybody running a Nehalem CPU to a Kaby Lake CPU might not get updates- and it will still leave them vulnerable. This is something to worry about. They effectively have a backdoor into your system that you can't close, and it's pretty loving scary

Metario · May 03, 2017, 09:21:03 AM

Quote from: Metario on May 03, 2017, 09:17:29 AM

Yeah implying rolling firmware out to thousands of servers isn't going to cause any downtime.. Theres also the fact that anybody running a Nehalem CPU to a Kaby Lake CPU might not get updates- and it will still leave them vulnerable. This is something to worry about. They effectively have a backdoor into your system that you can't close, and it's pretty loving scary

Also- I don't prefer AMD. I use what's right for the job- servers are Xeons, laptops use i3-i7 mobile CPUs, desktops use either AMD or Intel, depending on what workloads they're going to handle. You can't dismiss this by saying "it's just fear mongering because you're not an intel fanboy"

Headcrab Zombie · May 03, 2017, 11:58:32 AM

Quote from: Metario on May 02, 2017, 04:04:56 PM

Not forgetting that nearly every server on this planet is vulnerable, yes

Servers controlling internal corporate networks. And only the ones that use these feature sets.
You're not going to be compromised by, say, downloading a webpage from a remote webserver

Quote from: Metario on May 03, 2017, 01:45:25 AM

Every Intel CPU produced in the past 9 years- however it's only vulnerable from the network if you have vPro or AMT on your system/enabled. Without it on your system- an attacker can still gain access to it, however they'll have to run a specially crafted program on your PC to get access first.

If your attacker is already able to run whatever software they want on your PC, then you already have major issues, and this vulnerability isn't really going to open up anything that isn't already open

RedGajin · May 03, 2017, 04:31:15 PM

so update on this and to clear some things up (anyone can get on me if im wrong about this): this exploit can take advantage of ANY device (within the respective firmware versions) that has vPro LOCALLY. the only devices that are able to be accessed remotely are devices that are actively using AMT, ISM, or SBT (which is not any consumer device aka prolly you).

every device with vPro comes with AMT, however its NOT enabled. unfortunately, it can easily be enabled by any underpriviliged user accessing your device, navigating to your boot menu, and accessing the intel MEBx. the MEBx is password protected, but with a default password of "admin". you can change this after you login once.

heres a couple useful resources:
script to determine if your device is vulnerable (intel) - https://downloadmirror.intel.com/26755/eng/INTEL-SA-00075%20Detection%20Guide-Rev%201.0.pdf
mitigation guide (intel) - https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide-Rev%201.1.pdf

EDIT: also if anyone has any links to how exactly the exploit works please post. not how to do it, just something more detailed then "gives user escalated access through AMT"

kongo · May 03, 2017, 04:47:50 PM

good thing my cpu is so old it doesn't even have vpro

Trymos · May 03, 2017, 11:46:18 PM

Quote from: McJob on May 02, 2017, 05:53:10 PM

I'm sick and tired of it though. He's also as bad as that d guy, except d knows his stuff (even if he's wrong), whereas Queeba just makes an incredibly awkward post on the forum and then rushes to Discord to brag about it.

whole the forget is that d guy?
nobody comes to mind

Legodude77 · May 04, 2017, 12:03:52 AM

INTEL BTFO!!!!11!!!!!

HOW WILL THEY EVER RECOVER?

Metario · May 07, 2017, 01:07:33 AM

ruh roh
https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/