INTEL-SA-00086 security report , some links + my questions.

[plopke]

Not sure if i should have made a separate thread about this , this security statement of Intel was mentioned in http://www.portvapes.co.uk/?id=Latest-exam-1Z0-876-Dumps&exid=thread...onal-jtag-for-intel-csme-via-usb-dci.2526365/

INTEL :
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
short version : Intel remote Management Engine exploits for almost all 6-8 generation cpu's and more.

DETECTION TOOL:
https://downloadcenter.intel.com/download/27150 , unzip run the GUI edition

HOW TO FIX :
driver +bios update , for example Gigabyte is shipping new bios already for 300-200series and i assume many others.

IMPACT :
I can not figure this one out so I had some questions , it sounds kinda bad.

My questions:
1) there is no way to disable this in bios? If I understand this NO.
2)What if your system was never setup for remote managements logins , if i read the instruction you would have had it setup once locally or by OEM?
3)Does this effect only local LAN?




UPDATE :

I did not pay attention to this but they updated affected cpu's from generation 6-8 -> 1-8 in top list and specific cpu's all the way down to the 3/4 core generation. Well uuuuuuuurgh.

this is NOT related to the addressable user/kernal memory space violation that is resulting in rumoured new kernel code in linux/OS X/windows , that a other thing to cry about.

 

[gorobei]

oh its major league bad. it allows all kinds of malicious exploits and it operates below the os so anti virus and other tools cant see it. it also allows access to ram so encryption keys are potentially visible.

linus tech covered it in their podcast.
https://www.youtube.com/watch?v=neQhMG4izuU#

the big takeaway is that most systems will never be properly patched with the bios update.

never been a better time to go red as far as security goes. the sad part is that people were sounding the warning bells when IME first came out.

 

[PhonakV30]

hmm I don't think It's critical security , just How bad is it ?

 

[VirtualLarry]

the big takeaway is that most systems will never be properly patched with the bios update.

never been a better time to go red as far as security goes. the sad part is that people were sounding the warning bells when IME first came out.

Does this mean that ALL Intel (last 8 years?) rigs, with IME in the chipset, regardless if you have AMT BIOS support, are vulnerable to below-OS-level exploits? That's HORRIBLE.

Thank GOD my main rigs are all AMD now.

Edit: Can we say that "Security through obscurity" is a BAD IDEA yet?

 

[Dayman1225]

Does this mean that ALL Intel (last 8 years?) rigs, with IME in the chipset, regardless if you have AMT BIOS support, are vulnerable to below-OS-level exploits? That's HORRIBLE.

Thank GOD my main rigs are all AMD now.

Edit: Can we say that "Security through obscurity" is a BAD IDEA yet?

Heres the effected list.

 

[SarahKerrigan]

Does this mean that ALL Intel (last 8 years?) rigs, with IME in the chipset, regardless if you have AMT BIOS support, are vulnerable to below-OS-level exploits? That's HORRIBLE.

Thank GOD my main rigs are all AMD now.

Edit: Can we say that "Security through obscurity" is a BAD IDEA yet?

AMD has an equivalent of their own, with the Platform Security Processor. It has had far less reverse-engineering effort directed at it so far.

For those of you in the position of doing enterprise-scale computer purchasing, I really recommend that you make it clear to your channel representatives that mandatory magic black boxes are not acceptable. Remote management features are useful, but transparency and controllability need to be key.

 

[jpiniero]

Remote management features are useful, but transparency and controllability need to be key.

That's the point, it's a government backdoor. Intel is probably muzzled from saying much about ME.

 

[Dayman1225]

That's the point, it's a government backdoor. Intel is probably muzzled from saying much about ME.

They will only say something when they are forced too (or in this case do an overview of security). I'm just glad they acknowledged it instead of ignoring it and pretending it isn't problem. Though either way isn't ideal.

 

[SarahKerrigan]

That's the point, it's a government backdoor. Intel is probably muzzled from saying much about ME.

Considering other CPU vendors (IBM being the obvious example) don't have an ME equivalent, that seems dubious to me.

The media industry seems to be a more likely source of ME pushing, since the Protected Audio/Video Pathway runs on it.

 

[thecoolnessrune]

Considering other CPU vendors (IBM being the obvious example) don't have an ME equivalent, that seems dubious to me.

The media industry seems to be a more likely source of ME pushing, since the Protected Audio/Video Pathway runs on it.

That's really only an effect of scale. ME is designed for end-user systems. IBM CPUs aren't in those devices. The devices that those CPUs are in already have a low-level access system built in by mandatory design called the Flexible Service Processor (FSP). It must be installed for a supported IBM System to function, as it's used by the IBM HMC (Hardware Management Console) that IBM also mandates in most supported environments. The only differences between the two come down to use cases, as the ME Engine is mostly suited to Auditing and Recovery Tasks, while the FSP is a core design for everyday systems administration (because servers aren't as likely to walk away or be stolen).

Unfortunately, alot of it is just in the nature of Baseband access. Lots of devices have it, and while it would be nice if every one of them showed their cards, the fact of the matter is, showing all your cards means a commitment to keep it working. By not showing the inner workings, you keep your system protected from anyone who isn't willing to really get their hands dirty with messing with the system. And when it does fail, you can say "well it was old anyways" (especially in the case of home electronic devices). From a business standpoint, it's just easier.

 

[SarahKerrigan]

That's really only an effect of scale. ME is designed for end-user systems. IBM CPUs aren't in those devices. The devices that those CPUs are in already have a low-level access system built in by mandatory design called the Flexible Service Processor (FSP). It must be installed for a supported IBM System to function, as it's used by the IBM HMC (Hardware Management Console) that IBM also mandates in most supported environments. The only differences between the two come down to use cases, as the ME Engine is mostly suited to Auditing and Recovery Tasks, while the FSP is a core design for everyday systems administration (because servers aren't as likely to walk away or be stolen).

Unfortunately, alot of it is just in the nature of Baseband access. Lots of devices have it, and while it would be nice if every one of them showed their cards, the fact of the matter is, showing all your cards means a commitment to keep it working. By not showing the inner workings, you keep your system protected from anyone who isn't willing to really get their hands dirty with messing with the system. And when it does fail, you can say "well it was old anyways" (especially in the case of home electronic devices). From a business standpoint, it's just easier.

An FSP is needed on most (all?) AIX/iSeries machines, but OpenPower (PowerNV) doesn't have it. OpenPower systems have a fully open-source firmware stack*, including the baseband management controller, the power management controller, the self-boot engine, and the system boot firmware.

Pretty cool, no?

* some are better than others - S812LC is missing some open components (mainly BMC), while S822LC is fully open

 

[thecoolnessrune]

An FSP is needed on most (all?) AIX/iSeries machines, but OpenPower (PowerNV) doesn't have it. OpenPower systems have a fully open-source firmware stack*, including the baseband management controller, the power management controller, the self-boot engine, and the system boot firmware.

Pretty cool, no?

* some are better than others - S812LC is missing some open components (mainly BMC), while S822LC is fully open

I agree, OpenPower is pretty cool (we even have one in the lab), but I don't think it comes with a "full" stack, even in the S822LC. I do not believe the OpenPower Stack however stipulates anything about Systems Management? There is information on how to interact with the CPU and firmwares, and most, if not all OpenPower Servers communicate with their Management System via IPMI, but there is nothing that I know of in OpenPower that stipulates that the BMC must be open. The BMC in most implementations is a little black box that communicates with the rest of the system, as has the option of being interfaced with via IPMI, but it doesn't stipulate that proprietary command sets can't also be used, it doesn't stipulate that it needs disclosed, and it doesn't stipulate that the code for the BMC itself must be made available (and as far as I know it's not for any BMCs. The two major providers in OpenPower, IBM, and TYAN, don't offer up the code or designs of their BMCs, just that they're in place).

 

[SarahKerrigan]

I agree, OpenPower is pretty cool (we even have one in the lab), but I don't think it comes with a "full" stack, even in the S822LC. I do not believe the OpenPower Stack however stipulates anything about Systems Management? There is information on how to interact with the CPU and firmwares, and most, if not all OpenPower Servers communicate with their Management System via IPMI, but there is nothing that I know of in OpenPower that stipulates that the BMC must be open. The BMC in most implementations is a little black box that communicates with the rest of the system, as has the option of being interfaced with via IPMI, but it doesn't stipulate that proprietary command sets can't also be used, it doesn't stipulate that it needs disclosed, and it doesn't stipulate that the code for the BMC itself must be made available (and as far as I know it's not for any BMCs. The two major providers in OpenPower, IBM, and TYAN, don't offer up the code or designs of their BMCs, just that they're in place).

Tyan doesn't, but IBM does. The S822LC runs OpenBMC, and you can compile your own from source. "A Reference BMC for Power and Beyond" goes into some detail about this; the OP-specific source can be found at https://github.com/openbmc/openbmc/tree/master/meta-openbmc-machines/meta-openpower, and regular builds can be found at openpower.xyz.

You are correct that the spec doesn't mandate an open BMC, which is why I specified that some are more open then others. Firestone (S822LC) is the most open option at this point.

 

[thecoolnessrune]

Tyan doesn't, but IBM does. The S822LC runs OpenBMC, and you can compile your own from source. "A Reference BMC for Power and Beyond" goes into some detail about this; the OP-specific source can be found at https://github.com/openbmc/openbmc/tree/master/meta-openbmc-machines/meta-openpower, and regular builds can be found at openpower.xyz.

You are correct that the spec doesn't mandate an open BMC, which is why I specified that some are more open then others. Firestone (S822LC) is the most open option at this point.

Good find. That makes sense. In this situation, Intel has their own stack with Intel ME, and they pretty much control the whens and hows of its implementation. IBM is leveraging two separate projects, OpenPower, and OpenBMC to make an open system, but neither project on its own represents Intel's offering. It does show it can be done, but like most FOSS endeavors, its the initial difficulty with getting the solution packaged together and in products. OpenBMC is its own thing, so it would be up to OpenPower to mandate OpenBMC for it's management capabilities (or better yet, require that any BMC in use be open). At that point you would have an equivalent stack to Intel's closed source offering, but open.

In this situation, it's at least a glimmer of hope that there's at least 1 server out there with an equivalent, but open stack, even if it isn't very popular.

 

[plopke]

the intel document got updated , was not aware even more system were affected all the way up to generation 3/4 core , document even mention all the way up to first core generation ...........

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! sigh

 

[elpokor]

the intel document got updated , was not aware even more system were affected all the way up to generation 3/4 core , document even mention all the way up to first core generation ...........

I'm not even surprised, to be honest. It's clearly not a bug but a feature for Intel Agencies.

Sorry for the mediocre pun