Critical Flaws in Computers Leave Millions of PCs Vulnerable

Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable

In past few months, several research groups have uncovered vulnerabilities in the Intel remote administration feature known as the Management Engine (ME) which could allow remote attackers to gain full control of a targeted computer.
Now, Intel has admitted that these security vulnerabilities could "potentially place impacted platforms at risk."

Intel-SA-00086 Detection Tool

 

Intel just needs to remove ME at this point honestly

 

Yes, I agree with you, but I have no idea if it's possible.

 

Just downloaded the Tools and ran it.

Code:

Based on the analysis performed by this tool: This system is vulnerable.

INTEL-SA-00086 Detection Tool
Application Version: 1.0.0.128
Scan date: 22/11/2017 00:48:12

Host Computer Information
Name: GT72-6QD
Manufacturer: Micro-Star International Co., Ltd.
Model: GT72
Processor Name: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
OS Version: Microsoft Windows 10 Pro

Intel(R) ME Information
Engine: Intel(R) Management Engine
Version: 11.0.0.1173
SVN: 1

Copyright(C) 2017, Intel Corporation, All rights reserved.

Hoping that MSI answers my ticket with my request for a system bios update though.

 

My system is vulnerable as well, hope that I can find a solution, dear @Mr. Fox please advise.

 

Intel-SA-00086 Detection Tool

 

Everyone is vulnerable. Even my brand new desktop. But, honestly... don't lose any sleep over it. I am definitely not going to. I don't even use antivirus software. I think the media is making a bigger deal over this than we need them to. But, I agree that Intel ME should go. We never needed it as a dependency in the first place, and I think we would be just fine if they eliminated it.

 

Affected Intel Products

Below is the list of the processor chipsets which include the vulnerable firmware:

• 6th, 7th and 8th Generation Intel Core processors
• Xeon E3-1200 v5 and v6 processors
• Xeon Scalable processors
• Xeon W processors
• Atom C3000 processors
• Apollo Lake Atom E3900 series
• Apollo Lake Pentiums
• Celeron N and J series processors

 

I agree with you @MrFox about ME. It does need to go big time even Intel's AMT has more security holes then a cheese greater.



Sent from my SHIELD Tablet K1 using Tapatalk

 

Could one simply uninstall the ME driver or disable it in device manager or disable in the BIOS and forget about it? Ran the vulnerability tool on my m18x r1-> r2, says it is not vulnerable. another old alienware win lol

 

From what I understand uninstalling the driver will not solve this issue as Intel ME has a mini os in the PCH. The fact that the exploit can enable USB JTAG is concerning enough for me.

Sent from my SHIELD Tablet K1 using Tapatalk

 

what about disabling in the BIOS or removing the modules from the BIOS altogether? I think that would stop it....

 

Yes, but it would eliminate some functionality. Unfortunately, newer systems rely on the Intel ME firmware and drivers for some aspects of power management, CPU and memory overclocking capabilities. This dependency was never necessary before UEFI BIOS filth. The more they "fix" the more they break. That's why I'm not losing any sleep over it. It is what it is. If someone wants to come after your stuff bad enough they will find a way no matter how secure you might think things are. Unless or until that happens, the dangers are only hypothetical. Crossing the street is a risk. Allowing a door-to-door salesman to enter your home is a risk. Committing your life to another person that takes a vow "until death do us part" is a risk. Life goes on. Risk makes it more interesting. Living in fear of what might happen, maybe someday always sucks. Fear has a bad habit of becoming a self-fulfilling prophecy if you let it haunt you.

 

I don't know if this will fix the problem, I hope to be, but I think the issue is more than uninstalling a driver.

 

Haswell FTW.

 

Sandy and Ivy were better. Ran much cooler as well.

 

I agree. And overclocked better.

 

I just want to say that, not only Intel are doing such things, I would say every single technology owner are doing the same with different ways, the hardware and software companies are all the same, serving the same master at the end.

 

Yeah, the whole tech industry is circling the drain. One step forward, two steps backward, and happens too frequently. "Efficient" low-powered garbage and concepts involving SoC, BGA laptops, ARM, Android, iOS... all lackluster throw-away garbage tech just like Windows 10 and its worthless UWP filth. I wish smartphones had never been invented because the severely screwed up mentality that goes along with it is literally destroying everything excellent in its path and what little is left is dramatically dumbed-down anemic trash.

 

The AMT / ME like remote vulnerabilities have been going on for a *long* time...

How to remote hijack computers using Intel's insecure chips: Just use an empty login string
Exploit to pwn systems using vPro and AMT
By Chris Williams, US editor 5 May 2017 at 19:52
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

"How bad is this bug? Pretty bad. "The exploit is trivial, a maximum of five lines of Python, and could be doable in a one-line shell command," said SSH inventor Tatu Ylonen.

"It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware – possibly in the firmware – and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys.

"Disable AMT today. Mobilize whomever you need. Start from the most critical servers: Active Directory, certificate authorities, critical databases, code signing servers, firewalls, security servers, HSMs (if they have it enabled). For data centers, if you can, block ports 16992, 16993, 16994, 16995, 623, 664 in internal firewalls now.

"If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised.""

"Intel has published some more info on the vulnerability here, which includes links to a tool to check if your system is at-risk, support contact details, and a list of mitigations to reduce the threat. That tool is apparently Windows-only; there's info here for Linux peeps.

There is also this third-party tool, here, for disabling AMT from Windows."

"We're told the programming blunder is present in various, but not all, Intel processor chipsets from today's Kaby Lake family back to silicon sold in 2010: it mainly affects business PCs, professional workstations and small servers, rather than devices aimed at normal folk. However, Chipzilla admitted today that "consumers and small businesses" may end up using processors with the vulnerable tech present."

Hey, why not....


Intel AMT Vulnerability Shows Intel’s Management Engine Can Be Dangerous
by Lucian Armasu May 2, 2017 at 6:45 AM - Source: Intel Security Center
http://www.tomshardware.com/news/intel-amt-vulnerability-me-dangerous,34300.html

"Intel published a security advisory about a vulnerability that affects Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software. The company also released detection and mitigation guides, but the firmware updates would have to come from OEMs. The vulnerability shows that Intel ME's out-of-bound functionality, such as installing software remotely on PCs, could pose serious dangers to systems, as some free software activists have already warned."

All of this has led free software activists, such as those working on Libreboot (a free software alternative to UEFI), to brand it a “backdoor.” Even without considering it a backdoor, the Libreboot founder has argued that the capabilities of Intel ME can be exploited by others once vulnerabilities in it are found"


And, now it came to be...you can click on images in this post for more info...

 

I find it funny that Intel people here who tout the chips and makers words are the gospel just ignore them when they do not like what is being said to them by the company. Same happened from them from the last bug too. Who cares if everyone else is at risk, they just want those over clockable chips to keep flowing into the market.

 

Mitigation guide for Intel AMT exploit https://mattermedia.com/blog/disabling-intel-amt
Source: Intel Fixes Critical Bugs in Management Engine (affecting 6th, 7th, 8th Generation Core™ CPUs)

 

Gotta love the "Updates"

" UPDATE3: There is now a tool to check whether AMT is enabled and provisioned on Linux systems.

UPDATE2: It gets worse. Much worse. If your Windows laptop runs #IntelAMT, and you enable #WiFi for AMT and you connect to public WiFi AMT is accessible to anyone on that network.

UPDATE1: The vulnerability is now called “ SILENT BOB IS SILENT” and is worse than imagined – an attacker can bypass authentication and log on to Intel AMT remotely simply by sending an empty password (a NULL HTTP Digest response). Furthermore:

“The exploit is trival, max five lines of Python, could be doable in one-line shell command. It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys. … IT folks, KEEP WORKING THROUGH THE WEEKEND, DISABLE AMT NOW or block access to it. This can get ugly.”"

And, don't forget, even with AMT disabled, Intel ME is still there chugging along just waiting for something to drop in and say "Hi!" Like a USB device...

 

Yup. 100%. Being a worry wort changes nothing. It is all about priorities, enjoying life and and focusing on what really matters. Have a computer that runs like a banshee is way more important than an anemic piece of garbage that is not a risk in a one-off remote possibilty scenario. I do not worry about getting STDs using a public toilet or contracting AIDS at my doctors office, or TB when the people sitting next to me on a plane cough or sneeze. All possibly dangerous under the worst case scenario, but not something to get locked up about. The people responsible for it need to suffer, not the hypothetical victims that stand a one in a million (or less) chance of their PC being in the wrong place at the wrong time.

 

I already uninstall the IME,
Anyone knows if Clevo will provide any Intel Management Engine 11.8 Firmware update.
EDIT: Or maybe we need help from @Prema to do something about it.

 

LOL

 

I did many procedures to be like you, but still I didn't succeed

 

Intel® Management Engine Critical Firmware Update (Intel SA-00086)
Resources from system manufacturers

Note Links for other system manufacturers will be provided when available. If your system manufacturer is not listed, contact them for information on the availability of the necessary software update.

• 
  
  
  • Acer: Support Information
  • Dell Client: Support Information
  • Dell Server: Support Information
  • Fujitsu: Support Information
  • HP Servers: Support Information
  • Intel® NUC, Intel® Compute Stick, and Intel® Compute Card: Support Information
  • Lenovo: Support Information
  • Panasonic: Support Information
  • Clevo...????!!! Zzzz

 

I believe older systems aren't affected.

 

Right. The good Alienware systems like the M18xR2 were built before firmware cancer had metastasized and garbage became status quo. Intel ME played a part in the filth that is today's normal. The advancing UEFI roadmap leads us to even more troubling days, with Intel and Micro$haft control freak bastards pointing us directly into the mouth of the technology abyss. I started ranting about this crap at least 4 years ago and nobody listened. Just wait... We ain't seen nothing yet, LOL.

 

Intel wants to kill legacy support by 2020. Expect all systems to be full UEFI in 2020.

 

Yeah, sure it is.

 

Allow me to quote an old post over on OCN back in 2006, when the "SMM" bug regarding #Prochot or #thermtrip on Pentiums could allow evil satanic hackers to take over your PC !!!

 

So, hackers only want to use Intel AMT / ME hacks to break into people's PC's to give them an OC tune up and better performance? A better performing PC World through hacking?

These are totally different issues, and totally different exposures to people's PC's, not comparable at all.

 

Actually, it's Micro$loth's idea and Intel is their servant. The one that stands to truly profit is the Redmond Mafia. It's really disgusting how Intel, NVIDIA, AMD and other big-shots in the industry cow to Micro$haft and kiss their butt so much.

And, to be clear, UEFI is not the problem in and of itself. It's the payload of optional Nazi control freak feces that it carries (and more of which will be carried in the future) that is 100% unnecessary filth. All of the nasty excrement enthusiasts despise is made possible by UEFI, but only because it is abused by people that view themselves as having the right to play god and want us to pretend we love them.

They like to sugar-coat it, but it all boils down to the ODM/OEM being able to control what we do, and for Micro$loth to control what OS we do it with.

 

I would call this TR lot of things but not an anemic piece of garbage. In fact I do not see any of the Ryzen systems as such. You guys can defend Intel here all you want but no one is buying it. Not worrying about what could happen is what security is all about. The fact you say it should be overlooked greatly tarnishes any other words of wisdom you guys intend to make.

But I guess you are right, the faster the CPU, the faster they can get the data off the system!

 

Suggest you jabronis patch your systems anyway.
I just patched my BGA Throttlebook.

https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

 

Let's hope no one does buy anything Intel over the Holidays, and throughout the next few years.

Spoiler: Happy Thanksgiving Dream...

Wouldn't that be a great Holiday Present for the Holiday of the Future...:

"AMD buys bankrupt Intel for pennies on the dollar, and AMD proceeds to bulldozer all Intel properties into the ground, turning them into Beautiful Green Parks for all to enjoy."

"10 years after...

...AMD releases x86 Intellectual Properties into the public domain, unique and individual CPU's made for pennies, driven by AI-based Silicon Printers, bring the world into the next Bright Age of Enlightenment."

Wait, what?!! Did I fall asleep? Man, that Turkey was Goooood!! Wait, what?!! Thanksgiving is tomorrow you say?

 

Who said anything about AMD processors being anemic garbage? I was referring to BGA trash and smartphone filth that runs on Android and iOS.

 

Android and iOS are not even real computing solutions so usually are not considered in other than the most rudimentary of tasks. BGA crap, well we know who makes that at present.

 

https://twitter.com/PremaMod/status/933531523990425600

 

Android phones apparently make adequate auto-drive computers for cars

Spoiler: comm.ai autodrive

openpilot Demo from Web Summit

Super Hacker George Hotz: I Can Make Your Car Drive Itself for Under $1,000

Spoiler: Details...

"George Hotz, known online as GeoHot, became one of the world's most famous hackers at 17 when he was the first person to break into the iPhone and reconfigure it to be compatible with providers other than AT&T. He was also the first to jailbreak the PlayStation 3, allowing users to play with unauthorized software.

Now this 28-year-old technical wunderkind is up against Waymo, Tesla, Uber, and most of the auto industry in the race to build the first fully operational autonomous vehicle.

"I want to win self-driving cars," Hotz told Reason. Whereas Tesla and Waymo are developing complex systems with expensive LIDAR and other sensors, his company, Comma.ai, is trying to bring plug-and-play driverless technology to the masses. "We're running it on a phone," says Hotz.

He's taking an approach drastically different than his well-financed competition, and is operating with $3.1 million in seed money. Comma's dozen-member team, which works out of a residential house in San Francisco, has built technology that takes over the existing RADAR and drive-by-wire systems in modern cars, incorporates a smartphone's camera and processor, and then makes the car drive itself.

"Google is going to lose because there's no market for a $100,000 system," says Hotz. "For us, we're just going to push the software update. And then—boom—you don't have to pay attention anymore. Done."

Hotz has a history of taking on tech titans, with mixed reactions. After the iPhone jailbreak, Apple co-founder Steve Wozniak sent him a letter of congratulations. After he hacked the PS3, Sony sued him. Hotz quickly became a cause celebre of so-called hacktivist groups including Anonymous and LulzSec. They attacked Sony's network, despite Hotz's protests, igniting a firestorm of legal and media scrutiny.

Comma.ai is Hotz's attempt to take on the big players in a new way. The company makes an app called Chiffr that turns a user's phone into a dashcam and monitors its GPS and accelerometers. Now Comma is launching Panda, an open source, $88 dongle that plugs into the car, links it to the phone, and puts out fine-grain detail about every aspect of a drive. Hotz ingests all the data from Chiffr and Panda users and feeds it to his artificial intelligence system, which then learns how to drive.

According to Hotz, this approach gives him significant advantages over competitors such as Waymo. His network is entirely crowdsourced and running on some of the most popular cars in the country. He doesn't need to build another expensive, specially designed vehicle and employ a trained driver and an engineer every time he wants to add another data point. And all his data come from real-world experience.

Hotz says Waymo and others take a rule-based approach to driving that doesn't reflect the reality of how people operate cars. "The humans ain't changing to match the self-driving spec," he says. "In order to really get access to the full, diverse spectrum of what driving is, you need a huge crowdsourced database."

While Tesla's training model is more closely aligned with his, Hotz says the company will similarly be restricted to the high-end market. He got into a public spat with Tesla founder Elon Musk in 2015, after Hotz says the mogul changed the terms of a deal for him to build a better vision system for Tesla's Autopilot than the one supplied by partner company Mobileye. Musk claims Hotz bragged that he could build a better system, and then welched on the bet.

"All I said was I could build a better vision system than Mobileye, myself, in 3 months," replies Hotz. "And I kind of did that.""
https://reason.com/reasontv/2017/10/27/george-hotz-self-driving-autonomous-car

ai.bythebay.io: George Hotz, Self-Driving Lessons from Comma AI

Building a Self Driving Car | EP 1 (comma neo w/ openpilot)

Building a Self Driving Car | EP 2 (comma neo w/ openpilot)

Building a Self Driving Car | EP 3 (comma neo w/ openpilot)

Comma.ai launches an $88 universal car interface called Panda

https://comma.ai/
https://twitter.com/comma_ai
https://www.youtube.com/channel/UCW_9Y89RuQQFwMwSRLcI2fg/videos

 

Well, the numb-nuts at the Redmond Mafia aspire to make Windows 10 more like those piles of trash. Say hello to UWP app crap.

And, they already have "laptops" with ARM processor trash and Chromebooks are paving the path to notebook hell for everyone. Give 'em an inch, they'll take a mile. We are already seeing ample evidence that the road to hell is paved with laptops built like smartphones. No thank you.

 

PremaMod FTW!

 

True words Mr. Fox, I remember it about the Secure boot garbage and Secure Flash & UEFI Class III from M$ Mafia pairing with Win10 6mo EOL trashware, this is just on PC. On Smartphone realm it's equally worse, with Google injecting more and more proprietary trash into the AOSP poisoning it slowly step by step (Again a clone of Apple's SEP chip which is also called Secure Enclave since the TouchID), killing off Nexus line and mimicking crApple to push filth and locked down HW, It's been a freefall. M$ purchased Nokia (You can thank Mr. Elop) and ruined that company to hell and they ruined themselves in the process same idea of mimicking Apple and they are still doing it shamelessly with ineligible CEO and now here we are Duopoly with smartphone market. Monopoly on PC platform with M$ dictating everything and Intel executing it, shamelessly documenting it.

A damn shame, BUT I guess I'm happy that I/we at-least got to see what freedom and choice looked like.

More on this UEFI doomsday clock they started.

Which is wrong, Win7 is only partial UEFI. Only 8.x has full UEFI at-least with the InsydeH20. Plus in case you didn't knew Win7 will be permanently joining XP in 2020, coincidence ? Nope. That's M$ / Ngreedia / Apple / Intel are in bed about thinking how to move the people to a corner and force them, by leeching the money Life essence.

Secure Boot, UEFI Class III, more and more control and maximum pressure from these companies to do whatever they want like from Whitelisting to removing options from BIOSes, castrating machines. With UEFI hacking those would be not the same, granted we already saw what the Secure Flash does to the Laptops when paired with NVRAM on existing BIOS machines, Ngreedia started to drop legacy VGA output and started pushing eDP only and some machines needing UEFI only to boot unless the OEM adds GOP driver, the case with my machine in sig. Now let's face it, we will get to see some more advancements in the technology, unfortunately, It's more for worse things than good (does it exist ?) ...

Idk what to think now, People just don't care they just are happy with those thin and light laced with that crippled POS Win10 or Shiny BGA machines, Future about @Prema mods, vBIOS mods of Pre-Pascal to Ngreedia Falcon Phase 2 needing more HW and extensive knowledge to Phase 3 with UEFI Firmware check else No boot for ya, We are past the phase of Voting with Wallet, It's not like we have to stop but to keep pushing it hard where ever we can & hopefully one day the Kool-aid crowd learns what they have been robbed off, the more essential part, Liberty.

 

What settings should Prema BIOS users do to have their laptops protected?

 

So much for that... https://www.asus.com/us/Motherboards/ROG-MAXIMUS-X-HERO-WI-FI-AC/HelpDesk_BIOS/

 

This is good, what we will do for Clevo's?!

 

I think based on the post by @Prema it is probably going to be taken care of for his customers. Clevo will most likely patch it as well.

I actually found the updated firmware and flashed my desktop ME firmware before I thought to check for a BIOS update from ASUS. So, it was already flashed/patched before I updated the BIOS.

 

We are currently beta testing on systems ranging from PxxxDM, PxxxDM3, PxxxKM1 to PxxxTM1 generation...