SoylentNews is people
SoylentNews
Days after being announced, Tenable reverse engineered the Intel AMT Vulnerability. According to a blog post, the vulnerability is a backdoor dream. The AMT web interface uses HTTP Digest Authentication, which uses MD5. The problem is that partial matches of the hash are also accepted. Therefore, Tenable decided to experiment and while doing so:
[W]e reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header).
Authentication still worked. We had discovered a complete bypass of the authentication scheme.
Long story short, for over five years, a complete and trivial bypass of AMT authentication has existed. If this wasn't an intentional backdoor, it is a monumental mistake in security and coding best practices. Regardless, the "backdoor" is now public. With Shodan showing thousands of unpatchable computers (as no patch is currently available, assuming they would ever be patched) exposed to the Internet, some poor IT sod is bound to show up to work some bad news on Monday.
(Score: 4, Informative) by zocalo on Sunday May 07 2017, @12:26PM (6 children)
I suspect we'll see the systemboard vendors do a *little* better than the phone vendors at supporting legacy hardware here, but going back the full decade seems incredibly unlikely, as does all the operators of vulnerable systems actually downloading and installing the new firmware on their own initiative. All in all, we're almost certainly going to have a lot of vulnerable systems sitting around until they get replaced with new hardware for whatever reason; probably another decade or so in some cases. What's also worth pointing out is that this isn't just the remote network attack (which is bad enough), there's also a local priviledge escalation attack that can be run from a malicious binary on a vulnerable PC, so we can expect to see a lot of PCs rooted with this once that starts getting exploited.
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by frojack on Sunday May 07 2017, @10:40PM (5 children)
There is also a detection guide https://downloadcenter.intel.com/download/26755 [intel.com]
As well as a the mentioned mitigation tool (which seems pretty useless to me).
The problem is getting past the OEM's protection of the microcode. If that were easy there would be much larger problems.
These details of how to exploit this issue are now public. Those sitting behind a firewall (A SEPARATE physical firewall that is not itself vulnerable) really have only yourselves and your workmates to fear.
It involves a http operation to obscure port(s) 16992 AND 16993 (plus or minus a few depending on the sources you read). You also have to have provisioned the AMT before it is vulnerable, it does not normally come that way.
In a big company, I could see this being a huge problem, especially if you specifically bought these machines for this feature. So now you would have to firewall every one of them.
Apparently there are thousands of these sitting directly on the internet, probably in use as firewall/routers.
A somewhat less breathless discussion is here: https://mjg59.dreamwidth.org/48429.html [dreamwidth.org]
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by kaszz on Monday May 08 2017, @02:10AM (4 children)
The detection "guide" is a binary download for operating systems compatible with Microsoft windows 7 and 10. Maybe someone in the open source community will write a Unix equivalent that just reads in the BIOS data and evaluates it.
According to this page [intel.com], these processors are affected:
* Intel Core 2
* Intel Centrino 2
* Intel Core i5
* Intel Core i7
* Intel Centrino Processor
The same page describes checking AMT status by entering BIOS.
The OEM protection of the microcode has a solution:
* Neutralize ME firmware on Sandybridge and Ivybridge [github.io]
It might be the only way to be sure [youtube.com] ;-)
(Score: 1) by Scruffy Beard 2 on Monday May 08 2017, @02:19PM (3 children)
Thanks. I had missed the implications of the ME mention in the documentation for the BIOS update for my 965-based board. It is not like the manual explains what it actually does.
(Score: 2) by kaszz on Monday May 08 2017, @05:33PM (2 children)
Why did you want to update the BIOS ?
(Score: 1) by Scruffy Beard 2 on Monday May 08 2017, @05:45PM (1 child)
Hoping the latest update fixes any ACPI-related bugs? I think extra CPU support may have been included as well.
I know it falls into the "updates are always good" fallacy.
BIOS Update Release Notes (DG965 series -- Standard BIOS) [intel.com]
(Score: 2) by kaszz on Monday May 08 2017, @08:32PM
My thinking was kind of like. If you got an "old" BIOS. Maybe you could exploit to gain control of your machines hidden features?
ACPI seems to run in Intel Management (ring -2) mode so any BIOS update will also change this. But ACPI is notoriously bug ridden in implementation.