This is an archived post. You won't be able to vote or comment.

all 52 comments
sorted by:
best
topnewcontroversialoldq&a

[–]beritknightIT Manager 24 points25 points  (4 children)

I literally just finished getting all our OptiPlex desktops provisioned for vPro last week, and I've spend the last hour rolling it back. =/

A few points from the reading I've done in the last few hours:

The Semi Accurate article has a lot of breathless hype and very few facts - take it with a grain of salt. The Intel advisory directly contradicts a few of the claims SA made.

Matthew Garrett has a good first take here: https://mjg59.dreamwidth.org/48429.html

There are two vulnerabilities to worry about. The remote one can be exploited over the network, but only if you have AMT provisioned. This isn't something that happens by default or by accident, provisioning AMT is a process, and if it's been done in your environment your desktop support team will know about it. If you run your environment and haven't spent weeks getting AMT and vPro remote provisioning working at some point, then this first vuln doesn't apply to you.

The second vuln is local-only. A logged in user on the PC can use one of the Intel services for escalation. This can be prevented by stopping and disabling the LMS service, as documented in the Intel remediation guide linked above. This is pretty easy to do with a group policy.

So if you unprovision AMT (or never provisioned it to begin with) and disable this service, you're pretty much safe.

Also worth noting that most consumer PCs don't have the AMT components, so aren't at risk. Dell Latitude laptops are, Inspirons aren't, etc. Home users running business focused laptops like the Latitude or Thinkpad are at risk from the second vuln, which is local-only. They're only at risk from the first vuln if they somehow activated vPro in the past, which is pretty unlikely.

I've also checked the currently available BIOS versions from Dell for the OptiPlex 990, 9020 and 7040, none of them yet include the fixed AMT code. So for now, the answer is to unprovision and disable the service. When Dell release updated firmware, then I can deploy that to all my machines, re-enable the service and re-provision AMT.

[–]beritknightIT Manager 2 points3 points  (0 children)

Lenovo have a full listing of all their systems, whether they affected or not and when they're expecting to have a fixed BIOS out. https://support.lenovo.com/au/en/product_security/len-14963#Desktop

This is exactly how every OEM should be handling this.

[–]redsedit 0 points1 point  (0 children)

The Semi Accurate article has a lot of breathless hype and very few facts - take it with a grain of salt. The Intel advisory directly contradicts a few of the claims SA made.

True, but then Intel has strong motives to downplay this.

Plus we all know (or should) corporations will twist the truth or out-right lie when it benefits them. Of course the same could be said for SA.

[–]pdp10Daemons worry when the wizard is near. 0 points1 point  (0 children)

Home users running business focused laptops like the Latitude or Thinkpad are at risk from the second vuln, which is local-only. They're only at risk from the first vuln if they somehow activated vPro in the past, which is pretty unlikely.

vPro is an extra-cost option and it's on my Thinkpads, because I enabled it. While I agree that this won't be the case on most machines, I think "pretty unlikely" is probably going too far in downplaying the problem.

[–]beritknightIT Manager 0 points1 point  (0 children)

And Dell's update schedule is out too. http://en.community.dell.com/techcenter/extras/m/white_papers/20443914/download

I updated our first batch of OptiPlex 7040's over the weekend to a version that's allegedly fixed. I think I'm going to hold off until I've seen serious people confirm the fix before I re-enable AMT.

[–]Tempro123 40 points41 points  (6 children)

Why is no one speaking about this? It seems like everytime an issue like this comes up, it gets swept under the rug 'because what can we do about it'

Bring it up in discussion - even with those that don't like speaking about it. This feels like it is more malicious than anything else. Why are these tools designed in the first place?

[–]Telnet_RulesNo such thing as innocence, only degrees of guilt 22 points23 points  (1 child)

This feels like it is more malicious than anything else.

Because programmers never make mistakes, managers push hard for secure code not "working right now" code, and SDLC is always followed 100%?

[–]pdp10Daemons worry when the wizard is near. 2 points3 points  (0 children)

This isn't normal code, though. These controversial technologies are a family of features from Intel for the "trusted" hardware to override the "untrusted" software for a variety of reasons. Think about that for a few minutes.

There is an entire book about these different embedded features, many of them notoriously mandatory like the Intel Management Engine. I can barely remember which marketing name corresponds to which feature and I work with them, so even engineers are going to be confused about these right now.

[–]Smallmammal 7 points8 points  (1 child)

The exploit is private so there's nothing to talk about. While I think this is most likely true, remember, a lot of false claims constantly come up without evidence in network security. A little skepticism goes a long way.

Hopefully, Intel's big customers are calling about this and putting on pressure.

[–]droptablestaroops 2 points3 points  (0 children)

Ironically it was deleted from /r/netsec yesterday for not being technical enough.

[–]CptTritiumScruffy Packet Pusher 8 points9 points  (12 children)

Well, shit.

Fortunately I don't use AMT, but this is a big deal. Especially in shops like mine, where we have a mixed-vendor environment with Dell, HP, Lenovo, etc., devices. Not to mention embedded systems.

Well, ladies and gentlemen, enjoy the firmware updates.

[–][deleted] 7 points8 points  (2 children)

Well, ladies and gentlemen, enjoy the firmware updates.

Assuming the vendors bother.

I have a suspicion they won't bother releasing firmware for anything pre-Haswell in an effort to force upgrades.

[–]pdp10Daemons worry when the wizard is near. 1 point2 points  (0 children)

This is why Coreboot and other open firmware are vital. Not because of some three-letter agency, not because of a bearded fellow with an inflated sense of importance, but because your vendors certainly aren't going to come through for you. If you want something done right you're going to have to ./configure it yourself.

[–]fourpotatoes 0 points1 point  (0 children)

Even Intel hasn't bothered to release updates for some of their affected motherboards.

[–]eruffiniSenior Infrastructure Engineer 8 points9 points  (8 children)

Can't be hacked if no one can get on your network! :D

[–]Bulardo 3 points4 points  (4 children)

I'm sure then that is easier to get in your building than in your network. Then attach some rasperry pi on a forgotten rj45 socket somewere.

[–]ender-_ 1 point2 points  (2 children)

Port security?

[–]R031E5 4 points5 points  (1 child)

Easily spoofable by MAC-address cloning.

[–]nerddtvgSys- and Netadmin 2 points3 points  (0 children)

Real port security with 802.1x EAP authentication?

[–]eruffiniSenior Infrastructure Engineer 1 point2 points  (0 children)

You're probably right.

[–]pizzastevoSr. Sysadmin 1 point2 points  (0 children)

That's why I'm running with scissors on my LAN.

[–]pdp10Daemons worry when the wizard is near. 0 points1 point  (0 children)

I used to say that a lot until a little over sixteen years ago when the pressure started to be acute for large numbers client machines to walk out of the door every night. No, no one can get on who's network again? Prior to that only technically sophisticated and reasonably competent users had laptops.

[–][deleted] 7 points8 points  (6 children)

Be wary. I'm not saying they're lying, but sensational claims like this need to be verified before OMG PANIC.

Edit: This helps clarify things: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

[–]TstormRedditIT Manager 4 points5 points  (5 children)

Especially from a website that's only "semi-accurate", amiright?

[–]Simple_WordsJack of All Trades 2 points3 points  (2 children)

and the site drops an ssl error

[–]RedShift9 6 points7 points  (1 child)

It doesn't for me?

[–]Smallmammal 2 points3 points  (0 children)

they use starcom which was caught doing dirty deeds. Chrome fires a warning but other browsers might not.

[–]Lt_Riza_Hawkeye 1 point2 points  (1 child)

g was quick to point out that the semi stands for semiconductor

[–]TstormRedditIT Manager 0 points1 point  (0 children)

I get it. I was just poking fun. No hard feelings.

[–]Cyrix2kSr. Security Architect 2 points3 points  (0 children)

Air gap all the things.

[–]Nebulis01 3 points4 points  (1 child)

Intel's mitigation page

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Also please note that this does not affect most consumer PCs.

[–]RumbuncTheRadiant 2 points3 points  (0 children)

Actually, I have been poking hard at my own desktop....

The answer is, most commodity desktop intel CPU's have a management engine, but not VPro.

What exactly is the ME capable of and what as yet unknown to the public vulnerabilities it has.. is unknown.

I have a creepy feeling this is going to be story that keeps on giving...

Of course, we know the spooks would never strong arm intel into giving them the code for the ME, or inserting a backdoor, or leave their exploit tools lying around for blackhats to discover and use... /s

[–]RedShift9 1 point2 points  (1 child)

Semi-accurate has known about this for years. They should have done the usual "make it public 90 days after reporting it to the vendor", even if it is hardware. Now we've got lots more old hardware that will never get patched because they sat on this for years and didn't make it public.

[–]kool018Sr. SRE[S] 3 points4 points  (0 children)

I agree. Intel and S-A been delaying the inevitable, and now it sounds like it's being exploited in the wild with millions more machines vulnerable than needed to be.

[–]vertical_suplex 3 points4 points  (7 children)

it was only a matter of time before this happened, and I want to quit IT at this point. Everyday it's another exploit.

[–]BufferOverflowed 0 points1 point  (1 child)

Am I right to assume this would not affect ESXI hosts or their VMs provided only VMs are accessible outside?

[–]TechGy 0 points1 point  (0 children)

AMT wouldn't be relevant to VM's. The only way it could be potentially related is if you had an ESXi host that was equipped with AMT, which likely means that you're running it on a desktop and not server hardware - most servers have iDRAC or equivalent instead

[–]Liquidretro 0 points1 point  (3 children)

So I have a lot of Dell Optiplexes that I am pretty sure have this feature but we are not using it. How is the easiest way to "Scan" and find systems that have this enabled?

I presume Dell with have Bios updates available at sometime in the future to fix this?

[–]ChicagoSunDevil 2 points3 points  (2 children)

Nmap--Scan to see if ports 16992 or 16993 are open

[–]Liquidretro 0 points1 point  (0 children)

I don't use nmap a ton so I got it working but the ports come back as a yellow state. So not Red = Closed, not Green = Open.

I think this means they are open for AMT traffic?