• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Intel Processor Vulnerability (vPro)

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

InfoSponge16

Registered
Joined
Jul 23, 2016

Alaric

New Member
Joined
Dec 4, 2011
Location
Satan's Colon, US
I thought this was pretty well covered quite a while ago. The needed access was extremely difficult to attain on the vast majority of computers, wasn't it? Or did I miss something?
 
OP
I

InfoSponge16

Registered
Joined
Jul 23, 2016
Well it was not closed recently. Though it may have been well covered.

However I wound it as a recent headline on an RSS feed on an ipSec site. It does affect Skylake lake so its fairly recent.

I don't think it affects Kabylake but it wouldn't be a bad idea to check.

As far as being difficult to exploit, it doesn't sound that difficult to access.

It involves remoting, so basically anyone with bad intentions and an understanding of ports could monitor traffic or issue commands.

They would be able to give themselves elevated privileges to take control of the target.

I didn't know about it until last night, it is however a serious threat so I made the thread just in case. Hopefully most people were already aware.
 

satrow

Member
Joined
Feb 20, 2015
Location
Cymru
Not closed and 'boards out of warranty unlikely to be updated by the makers/OEMs.

You can also uninstall the AMT software and uninstall the Intel ME drivers from Programs or Device Manager > System Devices.

Apparently it affects Intel CPUs from ~2009 onwards.
 

trents

Senior Member
Joined
Dec 27, 2008
Not closed and 'boards out of warranty unlikely to be updated by the makers/OEMs.

You can also uninstall the AMT software and uninstall the Intel ME drivers from Programs or Device Manager > System Devices.

Apparently it affects Intel CPUs from ~2009 onwards.

So is this a CPU issue and a motherboard chipset issue? Does it only apply to systems with certain OEM motherboards or does this affect people using the affected CPUs but have aftermarket motherboards?
 

satrow

Member
Joined
Feb 20, 2015
Location
Cymru
Yes, the BIOS/Firmware on the 'board provides the opening to remotely access the CPU. Most affected are likely to be business class laptops and workstations, Q-series chipsets mostly, from what I can tell.

For consumers, anyone using an ex-Enterprise notebook (or a business-class notebook) or workstation would be most at risk.
 

Dolk

I once overclocked an Intel
Joined
Mar 3, 2008
Direct statement from Intel:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

"This issue is remotely exploitable through the host operating system's IP address if the LMS service is running," HD Moore, who is vice president of research and development at Atredis Partners, told Ars. "Servers with TCP ports 16992 or 16993 exposed and AMT activated would be exploitable through either the AMT's independent IP address, or in the case of LMS being enabled, the host operating systems' IP address. An attacker with access to the ports and knowledge of the vulnerability could obtain the equivalent of authenticated access to the AMT web interface, which in turn can lead to arbitrary code execution on the operating system."

https://arstechnica.com/security/20...ecution-bug-that-lurked-in-cpus-for-10-years/


From what I can tell, this is a very low expose case. So let's not panic :)
 
OP
I

InfoSponge16

Registered
Joined
Jul 23, 2016
Additional information is definitely good and adds to the thread.

I'm not really a fan of Remote assistance or options like those anyway so I usually disable them.

It's good to know there are several ways to disable the threat.

So to sum up, we can disable options in the bios. We can uninstall software and or disable drivers. We can also use Intel's tool to update or discover if your system is or is not affected. And act accordingly.
 

mackerel

Member
Joined
Mar 7, 2008
To re-quote from Dolk's Intel quote: "This vulnerability does not exist on Intel-based consumer PCs." If you have business targeted systems, it may be a different story, but most of us probably don't have to do anything.

Maybe I should have a look at my old work laptop I got to keep...
 
OP
I

InfoSponge16

Registered
Joined
Jul 23, 2016
That is what I gathered from the article. Which does quote Dort.
Intel's report states as you are saying.
But the article from securityweek adds more information. Link from security week points to intel.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Link from article pointing to additional information.

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

Which is probably an update to the information provided in the link from Satrow.

So it would probably be wise to check that work laptop..

For others, all the relevant information pertaining to the subject of the original post has been provided between members in this thread.

We shouldn't panic, but security should not be so casually disregarded.

From Dorts perspective, he should want to share pertenant information, but he is obligated to keep from scaring people away from their product. Which is logical.

From a security experts perspective, and that is not myself, they would want, or want to provide information to ensure all threats are addressed.
 

mackerel

Member
Joined
Mar 7, 2008
While not directly related to the Intel problem here, in the process of looking at it on my ex-work laptop, I found a different potential problem. It's call Computrace and is implemented as a bios option. It is meant as a method to track hardware to aid recovery if stolen. The worst part about it is, once activated, it apparently can't be deactivated. It is activated on the one I have.

The bios add-in will run and check for the presence of phone-home software on the system. If not present, it'll put it back. Allegedly, people have found ways to block it, either through stopping/deleting the used files, and replacing them with dummy ones of the same name. Alternatively, the more adventurous have taken to bios modding to actually remove that module. I'm not 100% sure it is active on my laptop, as although it is showing activated in the bios, I could only find one of the potential files it uses. I have deactivated it, just in case. It seems this "feature" is common on many business type devices.

An interesting note is, apparently it only works on Windows. So, maybe it is time for me to look at linux again, just in case...
 

Woomack

Benching Team Leader
Joined
Jan 2, 2005
Couple of years ago I was on Intel vPro training and we couldn't make this technology to work, we had 20+ workstations prepared by Intel but they didn't work so we wasted half of the day and were listening only to theory ... but I got 400+ page book about it ...
Anyway this technology requires cpu and chipset to work and it has to be activated on the computer. Additionally BIOS has to be prepared and there has to be programmed some data to see computers in the network and manage them. I guess it's easier now to set it than couple of years ago.
On Intel boards you could use Intel soft to edit BIOS options but well, Intel has no motherboards anymore.
Only some business series computers have vPro so I wouldn't worry about it if you have any motherboard on H/Z chipset or non "i" CPU.