Intel Processor Vulnerability (vPro)

InfoSponge16 · May 2, 2017

I found some information that should be of concern for anyone with an Intel processor from Nehalem to Skylake. Or for anyone who is interested in getting into the platform.

Here are links to Intel's website where you can find out if you are affected. There should be a firmware update if yours is vulnerable.
You can also disable vPro in your bios.

https://communities.intel.com/docs/DOC-5693

https://downloadcenter.intel.com/download/26755

EarthDog · May 3, 2017

They just closed this, no?

Alaric · May 3, 2017

I thought this was pretty well covered quite a while ago. The needed access was extremely difficult to attain on the vast majority of computers, wasn't it? Or did I miss something?

InfoSponge16 · May 3, 2017

Well it was not closed recently. Though it may have been well covered.

However I wound it as a recent headline on an RSS feed on an ipSec site. It does affect Skylake lake so its fairly recent.

I don't think it affects Kabylake but it wouldn't be a bad idea to check.

As far as being difficult to exploit, it doesn't sound that difficult to access.

It involves remoting, so basically anyone with bad intentions and an understanding of ports could monitor traffic or issue commands.

They would be able to give themselves elevated privileges to take control of the target.

I didn't know about it until last night, it is however a serious threat so I made the thread just in case. Hopefully most people were already aware.

satrow · May 3, 2017

Not closed and 'boards out of warranty unlikely to be updated by the makers/OEMs.

You can also uninstall the AMT software and uninstall the Intel ME drivers from Programs or Device Manager > System Devices.

Apparently it affects Intel CPUs from ~2009 onwards.

trents · May 3, 2017

satrow said:
Not closed and 'boards out of warranty unlikely to be updated by the makers/OEMs.

You can also uninstall the AMT software and uninstall the Intel ME drivers from Programs or Device Manager > System Devices.

Apparently it affects Intel CPUs from ~2009 onwards.

So is this a CPU issue and a motherboard chipset issue? Does it only apply to systems with certain OEM motherboards or does this affect people using the affected CPUs but have aftermarket motherboards?

satrow · May 3, 2017

Yes, the BIOS/Firmware on the 'board provides the opening to remotely access the CPU. Most affected are likely to be business class laptops and workstations, Q-series chipsets mostly, from what I can tell.

For consumers, anyone using an ex-Enterprise notebook (or a business-class notebook) or workstation would be most at risk.

EarthDog · May 3, 2017

Oh... thanks for the clarificiation! THis is something different I guess that has a solution (so its 'closed' in my mind since there is a solution).

https://www.techpowerup.com/forums/...on-flaw-on-its-cpus-active-since-2008.232947/

satrow · May 3, 2017

Same thing, Intel has made patches available for the OEMs now and I guess they already have patches available for (at least the current range) of their own 'boards.

Dates back to this: http://semiaccurate.com/2012/05/15/intel-small-business-advantage-is-a-security-nightmare/

Dolk · May 3, 2017

Direct statement from Intel:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

"This issue is remotely exploitable through the host operating system's IP address if the LMS service is running," HD Moore, who is vice president of research and development at Atredis Partners, told Ars. "Servers with TCP ports 16992 or 16993 exposed and AMT activated would be exploitable through either the AMT's independent IP address, or in the case of LMS being enabled, the host operating systems' IP address. An attacker with access to the ports and knowledge of the vulnerability could obtain the equivalent of authenticated access to the AMT web interface, which in turn can lead to arbitrary code execution on the operating system."

https://arstechnica.com/security/20...ecution-bug-that-lurked-in-cpus-for-10-years/

From what I can tell, this is a very low expose case. So let's not panic

InfoSponge16 · May 3, 2017

Additional information is definitely good and adds to the thread.

I'm not really a fan of Remote assistance or options like those anyway so I usually disable them.

It's good to know there are several ways to disable the threat.

So to sum up, we can disable options in the bios. We can uninstall software and or disable drivers. We can also use Intel's tool to update or discover if your system is or is not affected. And act accordingly.

InfoSponge16 · May 3, 2017

That is most of the sum of the statement I read in another article.

I found it here
http://www.securityweek.com/intel-w...SecurityWeek+RSS+Feed)&utm_content=FeedBurner

It's new there so I shared. I wasn't trying to steer anyone away from Intel, or even create a panic. But I definitely wanna do what I can to help people keep their PC and data secure.

mackerel · May 3, 2017

To re-quote from Dolk's Intel quote: "This vulnerability does not exist on Intel-based consumer PCs." If you have business targeted systems, it may be a different story, but most of us probably don't have to do anything.

Maybe I should have a look at my old work laptop I got to keep...

InfoSponge16 · May 3, 2017

That is what I gathered from the article. Which does quote Dort.
Intel's report states as you are saying.
But the article from securityweek adds more information. Link from security week points to intel.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Link from article pointing to additional information.

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

Which is probably an update to the information provided in the link from Satrow.

So it would probably be wise to check that work laptop..

For others, all the relevant information pertaining to the subject of the original post has been provided between members in this thread.

We shouldn't panic, but security should not be so casually disregarded.

From Dorts perspective, he should want to share pertenant information, but he is obligated to keep from scaring people away from their product. Which is logical.

From a security experts perspective, and that is not myself, they would want, or want to provide information to ensure all threats are addressed.

mackerel · May 4, 2017

While not directly related to the Intel problem here, in the process of looking at it on my ex-work laptop, I found a different potential problem. It's call Computrace and is implemented as a bios option. It is meant as a method to track hardware to aid recovery if stolen. The worst part about it is, once activated, it apparently can't be deactivated. It is activated on the one I have.

The bios add-in will run and check for the presence of phone-home software on the system. If not present, it'll put it back. Allegedly, people have found ways to block it, either through stopping/deleting the used files, and replacing them with dummy ones of the same name. Alternatively, the more adventurous have taken to bios modding to actually remove that module. I'm not 100% sure it is active on my laptop, as although it is showing activated in the bios, I could only find one of the potential files it uses. I have deactivated it, just in case. It seems this "feature" is common on many business type devices.

An interesting note is, apparently it only works on Windows. So, maybe it is time for me to look at linux again, just in case...

Woomack · May 4, 2017

Couple of years ago I was on Intel vPro training and we couldn't make this technology to work, we had 20+ workstations prepared by Intel but they didn't work so we wasted half of the day and were listening only to theory ... but I got 400+ page book about it ...
Anyway this technology requires cpu and chipset to work and it has to be activated on the computer. Additionally BIOS has to be prepared and there has to be programmed some data to see computers in the network and manage them. I guess it's easier now to set it than couple of years ago.
On Intel boards you could use Intel soft to edit BIOS options but well, Intel has no motherboards anymore.
Only some business series computers have vPro so I wouldn't worry about it if you have any motherboard on H/Z chipset or non "i" CPU.

Intel Processor Vulnerability (vPro)

InfoSponge16

Registered

EarthDog

Gulper Nozzle Co-Owner

Alaric

New Member

InfoSponge16

Registered

satrow

Member

trents

Senior Member

satrow

Member

EarthDog

Gulper Nozzle Co-Owner

satrow

Member

Dolk

I once overclocked an Intel

InfoSponge16

Registered

InfoSponge16

Registered

mackerel

Member

InfoSponge16

Registered

mackerel

Member

Woomack

Benching Team Leader

Similar threads