Intel MeshCentral2 updated with Load Balancer & Peering Support

Intel has released an updated version of MeshCentral2, an Intel AMT-based management tool for Windows. New version has “server peering” support, which I confess I don’t yet understand what that means, but sounds signficant, something to learn about…

[…]MeshCentral2 is a free open source web-based remote computer management solution allowing administrators to setup new servers in minutes and start remotely controlling computers using both software agent and Intel® AMT. The server works both in a LAN environment and over the Internet in a WAN setup. Now, I just released a new version with support for server-to-server peering allowing for improved fail-over robustness and scaling. Some technical details:

* Servers connect to each-other using secure web sockets on port 443. This is just like browsers and Mesh agents, so you can setup a fully working peered server installation with only port 443 being open.
* Server peering and mesh agent connections use a secondary authentication certificate allowing the server HTTPS public certificate (presented to browser) to be changed. This allows MeshCentral2 peer servers to be setup with different HTTPS certificates. As a result, MeshCentral2 can be setup in a multi-geo configuration.
* All of the peering is real-time. As servers peer together and devices connect to the servers, users see a real-time view on the web page of what devices are available for management. No page refresh required.
* MeshCentral2 supports TLS-offload hardware for all connections including Intel® AMT CIRA even when peering. So, MeshCentral2 servers can benefit from the added scaling of TLS offload accelerators.
* Fully support server peering for Browsers, Mesh Agents and Intel® AMT connections.
* The server peering system does not use the database at all to exchange state data. This boosts the efficiency of the servers because the database is only used for long term data storage, not real time state.
* There is no limit to how many servers you can peer, however I currently only tested a two server configuration.






Ekoparty: analysis of Apple’s EFI security

The Apple of your EFI: An analysis of the state of Apple’s EFI Security Support

Duo Labs condujo un análisis de información extenso en el estado de seguridad de EFI de Apple desde dos perspectivas. La primera fue analizar todas las actualizaciones de EFI lanzadas por Apple desde OS X 10.10.0 a través de macOS 10.12.6 para caracterizar el soporte de seguridad proporcionado por completo en diferentes modelos de Mac y versiones de OS, esto también proporcionó una línea de base para el estado esperado de los sistemas Mac, para poder comparar el estado actual de su seguridad EFI contra el estado esperado. Nuestros descubrimientos cubren un rango de anomalías y cuestiones de seguridad del soporte de seguridad provisto por Apple para su firmware EFI. Más preocupante aún, nuestro análisis muestra significativas deviaciones en el estado real del firmware EFI en Macs, comparado con el estado esperado, el cual genera sospechas de cuestiones sistemáticas que estén causando las fallas del nuevo firmware de EFI, que supuestamente es instalado automáticamente a lo largo de una actualización OS: Además del análisis de datos discutido anteriormente, nuestra investigación apunta a iluminar los mecanismos utilizados para actualizar EFI de Apple y se discutirá cómo las herramientas del actualizador EFI de Apple operan y los controles que tienen en su lugar. Estas revelaciones vienen del análisis binario de las mismas herramientas y creemos que no han sido discutidas en detalle hasta ahora. Junto a nuestro descubrimiento en la forma de un ensayo técnico, también lanzamos herramientas y APIs para habilitar a administradores y usuarios finales a tener mayor visibilidad del estado del firmware EFI en el sistema de Apple, y a entender las implicaciones de seguridad que puede contener.





Positive Tech at BlackHat EU: Running Unsigned Code in Intel ME

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such “God mode” capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools. Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics. In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.


Intel ME is the new Pandora’s Box…



CVE-2015-7837: RHEL UEFI Secure Boot


Vulnerability ID 106841
Red Hat Enterprise Linux UEFI Secure Boot privilege escalation

A vulnerability, which was classified as critical, has been found in Red Hat Enterprise Linux (the affected version is unknown). This issue affects an unknown function of the component UEFI Secure Boot. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability. The weakness was released 09/19/2017 (oss-sec). The advisory is shared for download at openwall.com. The identification of this vulnerability is CVE-2015-7837 since 10/15/2015. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/20/2017).[…]


Comments above seem to incidate a 9/19 update, but I can’t find that, only older messages from 2015-2016. Unclear about current status of this.