SoylentNews

Intel AMT Vulnerability: Hacker's Backdoor Dream

posted by martyb on Sunday May 07 2017, @11:08AM   
from the Intel-likes-the-backdoor dept.

An Anonymous Coward writes:

Days after being announced, Tenable reverse engineered the Intel AMT Vulnerability. According to a blog post, the vulnerability is a backdoor dream. The AMT web interface uses HTTP Digest Authentication, which uses MD5. The problem is that partial matches of the hash are also accepted. Therefore, Tenable decided to experiment and while doing so:

[W]e reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header).

Authentication still worked. We had discovered a complete bypass of the authentication scheme.

Long story short, for over five years, a complete and trivial bypass of AMT authentication has existed. If this wasn't an intentional backdoor, it is a monumental mistake in security and coding best practices. Regardless, the "backdoor" is now public. With Shodan showing thousands of unpatchable computers (as no patch is currently available, assuming they would ever be patched) exposed to the Internet, some poor IT sod is bound to show up to work some bad news on Monday.

---

Original Submission

• Re:software/hardware? Re:software/hardware? (Score: 3, Informative) by kaszz on Monday May 08 2017, @02:10AM (4 children)

  by kaszz (4211) on Monday May 08 2017, @02:10AM (#506126) Journal

  The detection "guide" is a binary download for operating systems compatible with Microsoft windows 7 and 10. Maybe someone in the open source community will write a Unix equivalent that just reads in the BIOS data and evaluates it.

  According to this page [intel.com], these processors are affected:
    * Intel Core 2
    * Intel Centrino 2
    * Intel Core i5
    * Intel Core i7
    * Intel Centrino Processor

  The same page describes checking AMT status by entering BIOS.

  The OEM protection of the microcode has a solution:
    * Neutralize ME firmware on Sandybridge and Ivybridge [github.io]

  It might be the only way to be sure [youtube.com] ;-)

  Parent

  Starting Score:	1		point
  Moderation		+1
  Informative=1, Total=1
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3

• Re:software/hardware? Re:software/hardware? (Score: 1) by Scruffy Beard 2 on Monday May 08 2017, @02:19PM (3 children)

  by Scruffy Beard 2 (6030) on Monday May 08 2017, @02:19PM (#506357)

  Thanks. I had missed the implications of the ME mention in the documentation for the BIOS update for my 965-based board. It is not like the manual explains what it actually does.

  Parent

  • Re:software/hardware? Re:software/hardware? (Score: 2) by kaszz on Monday May 08 2017, @05:33PM (2 children)

    by kaszz (4211) on Monday May 08 2017, @05:33PM (#506448) Journal

    Why did you want to update the BIOS ?

    Parent

    • Re:software/hardware? Re:software/hardware? (Score: 1) by Scruffy Beard 2 on Monday May 08 2017, @05:45PM (1 child)

      by Scruffy Beard 2 (6030) on Monday May 08 2017, @05:45PM (#506458)

      Hoping the latest update fixes any ACPI-related bugs? I think extra CPU support may have been included as well.

      I know it falls into the "updates are always good" fallacy.

      BIOS Update Release Notes (DG965 series -- Standard BIOS) [intel.com]

      Parent

      • Re:software/hardware? (Score: 2) by kaszz on Monday May 08 2017, @08:32PM

        by kaszz (4211) on Monday May 08 2017, @08:32PM (#506550) Journal

        My thinking was kind of like. If you got an "old" BIOS. Maybe you could exploit to gain control of your machines hidden features?

        ACPI seems to run in Intel Management (ring -2) mode so any BIOS update will also change this. But ACPI is notoriously bug ridden in implementation.

        Parent