Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday November 23 2017, @12:09PM   Printer-friendly
from the get-your-patches-here dept.

It's time to update your Management Engine:

Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.

The company has posted a detection tool on its support website for Windows and Linux to help identify systems that are vulnerable. In the security alert, members of Intel's security team stated that "in response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience."

Intel® Management Engine Critical Firmware Update (Intel SA-00086)

U.S. government warns about cyber bug in Intel chips

The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as 'Management Engine' that shipped with eight types of processors used in business computers sold by Dell Technologies, Lenovo, HP Inc, Hewlett Packard Enterprise and other manufacturers."

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

"These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years," said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

The official warning is here. Good luck to everybody! Good luck.

Also at Reuters and the EFF.


Original Submission #1   Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by effbee on Thursday November 23 2017, @12:36PM (4 children)

    by effbee (902) on Thursday November 23 2017, @12:36PM (#600628)

    The ME updates come in BIOS updates, so you'll have to hope your motherboard maker feels like releasing a patched BIOS.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 2) by RS3 on Thursday November 23 2017, @06:25PM (2 children)

    by RS3 (6367) on Thursday November 23 2017, @06:25PM (#600753)

    I ran the Intel "tool" on a few of my systems and it says:

    Based on the analysis performed by this tool: Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

    "May". So I have no clue if I'm vulnerable. Speaking of tools, Intel...

    So this "tool" is just a deflection of fault. Even though we all know it's Intel's licensed code, they're able to pass the blame onto the system manufacturer. And what irks me even more: Intel makes the motherboards and most of the BIOS / firmware in many (most?) of the affected systems.

    Don't you just love it when greedy jerks grab free code, don't check it for security holes, cobble/bugger it, and sell and profit from it? http://hexus.net/tech/news/software/111857-intel-management-engine-runs-minix-3-os [hexus.net]

    Sounds like all system manufacturers need to class action sue Intel for fixes and damages.

    • (Score: 2) by Yog-Yogguth on Monday November 27 2017, @08:26PM (1 child)

      by Yog-Yogguth (1862) Subscriber Badge on Monday November 27 2017, @08:26PM (#602156) Journal

      Time to learn Minix 3 and root one's own system?

      Anyone here doing that or tried doing that?

      --
      Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
      • (Score: 2) by RS3 on Tuesday November 28 2017, @02:59AM

        by RS3 (6367) on Tuesday November 28 2017, @02:59AM (#602300)

        I have not tried, because the Intel "tool" has not confirmed that I have the ME. A tool is supposed to do something useful, right? If I have the Intel ME on any of my systems, I would love to know for sure. Then I will go about getting into it.

        I confess I've only tried the Intel "tool".

        Minix should be very easy, for me anyway. I've never run it, but Linux grew out of it and they're similar enough that I would figure out anything I needed to. I still have some Minix-format root-filesystem floppies. Oh gosh...

  • (Score: 3, Informative) by RamiK on Thursday November 23 2017, @07:05PM

    by RamiK (1813) on Thursday November 23 2017, @07:05PM (#600772)

    If you're out of warranty and not expecting an update from your motherboard manufacturer, you can live update the ME blob on your own using FWUpdate from https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html [win-raid.com] . The instructions are pretty straightforward in that link but, TLDR, you need to run MEInfo to see what you're currently running and look through the website for corresponding update.

    Just make sure to backup your existing EEPROM image with an external flash programmer before doing any of it just like you would before flashing any coreboot, me_cleaner or UBU firmwares.

    p.s. I never used it but there's an Intel tool (sourced to MB OEMs?) letting you author / edit firmwares and disable stuff like SMM. I can't remember if it's part the above, UBU, or some specific UBU procedure page like https://www.win-raid.com/t905f13-Guide-Transfer-of-specific-Intel-VBIOS-settings-by-using-Intels-BMP-tool.html [win-raid.com] , but I came across those entries updating microcode, vbios, Intel and Marvel AHCI/RST modules and the likes so if you'd mess around UBU long enough you'll come across it too.

    --
    compiling...