more on Intel-SA-00068 (Intel ME) vuln

Intel has updated their advisory again, many more OEMs on the list now:

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Intel ME has impacted Intel WPA2:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00101&languageid=en-fr

Microsoft provides info, but the researchers argue with their conclusions:

https://blogs.technet.microsoft.com/surface/2017/12/11/intel-management-engine-vulnerability-and-surface-devices/

 

Tanenbaum: more comments regarding Intel ME

Re: https://firmwaresecurity.com/2017/11/07/tanenbaum-responds-to-intel-about-minix-based-me/

Andrew adds two more footnotes to his reply to Intel:

[…]Many people (including me) don’t like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel’s business decision and a separate issue from the code it runs.[…] I certainly hope Intel did thorough security hardening and testing before deploying the chip, since apparently an older version of MINIX was used.[…]

[…]If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated, even though all they wanted was reducing the memory footprint (= chip area for them). I think creating George Orwell’s 1984 is an extremely bad idea, even if Orwell was off by about 30 years. People should have complete control over their own computers, not Intel and not the government. In the U.S. the Fourth Amendment makes it very clear that the government is forbidden from searching anyone’s property without a search warrant. Many other countries have privacy laws that are in the same spirit. Putting a possible spy in every computer is a terrible development.[…]

https://www.techpowerup.com/238677/minix-creator-andrew-tanenbaum-sends-open-letter-to-intel-over-minix-drama

Intel ME coverage from BHEU

http://blog.ptsecurity.com/2017/12/huffman-tables-intel-me.html?m=1

https://habrahabr.ru/company/pt/blog/344056/

 

more on Intel-SA-00068 (Intel ME)

Intel has updated the advisory documents. There are more OEMs in the list:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Acer
ASUS
Compulab
Dell Client
Dell Server
Fujitsu
Getac
GIGABYTE
HP Inc.
HPE Servers
Intel: NUC, Compute Stick, Compute Card
Lenovo
MSI
Oracle
Panasonic
Quanta/QCT
Supermicro
Toshiba
Vaio

Monotonic Counter in Intel SGX and ME

Some notes on the Monotonic Counter in Intel SGX and ME
Posted on November 10, 2017 by daveti

SGX sealing is vulnerable to rollback attacks as the enclave is not able to tell if the sealed data is the latest or a old copy. To mitigate this attack, monotonic counter (MC) has been introduced in Intel SGX SDK 1.8. This post looks into some implementation details inside Intel SGX SDK.[…]

Some notes on the Monotonic Counter in Intel SGX and ME

a bit more on INTEL-SA-00068 (Intel ME)

Intel has updated the advisory page, I think the doc is at v1.3 now:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

The list of OEMs is larger now:

Acer
Compulab
Dell Client
Dell Server
Fujitsu
Getac
HP Inc.
HPE Servers
Intel® NUC, Intel® Compute Stick, and Intel® Compute Card: Support Information
Lenovo
MSI
Panasonic
Quanta/QCT

 

 

Matthew on Intel ME security: worst case here is terrible, but unlikely to be relevant to the vast majority of users

Matthew has an excellent new blog post on recent Intel ME security news.

https://mjg59.dreamwidth.org/49611.html

[…]The big problem at the moment is that we have no idea what the actual process of compromise is. Intel state that it requires local access, but don’t describe what kind. Local access in this case could simply require the ability to send commands to the ME (possible on any system that has the ME drivers installed), could require direct hardware access to the exposed ME (which would require either kernel access or the ability to install a custom driver) or even the ability to modify system flash (possible only if the attacker has physical access and enough time and skill to take the system apart and modify the flash contents with an SPI programmer). The other thing we don’t know is whether it’s possible for an attacker to modify the system such that the ME is persistently compromised or whether it needs to be re-compromised every time the ME reboots. Note that even the latter is more serious than you might think – the ME may only be rebooted if the system loses power completely, so even a “temporary” compromise could affect a system for a long period of time. It’s also almost impossible to determine if a system is compromised. If the ME is compromised then it’s probably possible for it to roll back any firmware updates but still report that it’s been updated, giving admins a false sense of security. The only way to determine for sure would be to dump the system flash and compare it to a known good image. This is impractical to do at scale. So, overall, given what we know right now it’s hard to say how serious this is in terms of real world impact. It’s unlikely that this is the kind of vulnerability that would be used to attack individual end users – anyone able to compromise a system like this could just backdoor your browser instead with much less effort, and that already gives them your banking details. The people who have the most to worry about here are potential targets of skilled attackers, which means activists, dissidents and companies with interesting personal or business data. It’s hard to make strong recommendations about what to do here without more insight into what the vulnerability actually is, and we may not know that until this presentation next month.[…]

A bit more on INTEL-SA-00086 (Intel ME update)

Intel’s advisory updated overnight:
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

More OEM announcements:
http://pc-dl.panasonic.co.jp/itn/info/osinfo20171121.html
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00036596en_us
https://us.answers.acer.com/app/answers/detail/a_id/51890

https://www.flamingspork.com/blog/2017/11/22/updating-windows-management-engine-firmware-on-a-lenovo-without-a-windows-install/

More on INTEL_SA-00086 (Intel ME update)

Advisory doc updated overnight:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Vendors are starting to issue advisories:
https://support.lenovo.com/us/en/product_security/len-17297
http://www.dell.com/support/article/us/en/19/sln308237/dell-client-statement-on-intel-me-txe-advisory–intel-sa-00086-?lang=en
http://www.dell.com/support/article/us/en/19/qna44242/dell-server-statement-on-intel-me-txe-advisory–intel-sa-00086-?lang=en
https://www.intel.com/content/www/us/en/support/articles/000026230/mini-pcs.html

https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability

A few researchers’ comments on the quality of this advisory:

https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html#msg10191

If you disable Intel ME, does that mean Intel SGX, Boot Guard, and other tech is also broken? Pandora’s box is full of toys…

 

Intel Management Engine Critical Firmware Update

Intel® Management Engine Critical Firmware Update (Intel SA-00086)

Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update (INTEL-SA-00086)
Product family: Various
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Nov 20, 2017
Last revised: Nov 20, 2017

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel® Management Engine (ME), Intel® Server Platform Services (SPS), and Intel® Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience. As a result, Intel has identified security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.[…]Based on the items identified through the comprehensive security review, an attacker could gain unauthorized access to platform, Intel® ME feature, and 3rd party secrets protected by the Intel® Management Engine (ME), Intel® Server Platform Service (SPS), or Intel® Trusted Execution Engine (TXE). This includes scenarios where a successful attacker could:

* Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
* Load and execute arbitrary code outside the visibility of the user and operating system.
* Cause a system crash or system instability.
[…]

Acknowledgements:
* External Security Researchers and Intel Validation.
* Intel would like to thank Mark Ermolov and Maxim Goryachy from Positive Technologies Research for working collaboratively with Intel on a coordinated disclosure for CVE-2017-5705.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Detection tool for Linux and Windows:
https://downloadcenter.intel.com/download/27150

 

Positive Technologies: JTAG in each house: full access via USB

It is amazing to see the Intel ME research coming out of Positive Technologies!

From Google Translate:

JTAG in each house: full access via USB

Researchers at Positive Technologies have activated hardware debugging (JTAG) for Intel Management Engine, which allows full access to all PCH devices (Platform Controller Hub) using Intel DCI technology (via USB interface). We plan to share the details at one of the nearest conferences. And how to activate this interface, but for the main processor, we will tell below.[…]

https://habrahabr.ru/company/pt/blog/341946/

https://translate.google.com/translate?hl=en&sl=ru&u=https://habrahabr.ru/company/pt/blog/341946/

Intel ME is the new “Pandora’s Box”, defenders are going to need bigger (better) tools… 😦

Tanenbaum responds to Intel about Minix-based ME

Intel ME running Minix is in the news again…

An Open Letter to Intel

[…]I knew that Intel had some potential interest in MINIX 3 several years ago when one of your engineering teams contacted me about some secret internal project and asked a large number of technical questions about MINIX 3, which I was happy to answer. I got another clue when your engineers began asking me to make a number of changes to MINIX 3, for example, making the memory footprint smaller and adding #ifdefs around pieces of code so they could be statically disabled by setting flags in the main configuration file.[…]

Yours truly,
Andrew S. Tanenbaum

http://www.cs.vu.nl/~ast/intel/

https://en.wikipedia.org/wiki/Andrew_S._Tanenbaum

http://www.minix3.org/

https://firmwaresecurity.com/2017/05/07/intel-me-based-on-minix/

Google wants servers without Intel ME and UEFI

Golem has a story about the recent Google presentation at OSSEU2017:

From Google Translation of German text:

Google wants servers without Intel ME and UEFI
by Sebastian Grüner
According to the motto “Are you afraid?” a team of Google’s coreboot developers is working with colleagues to make Intel’s ME and the proprietary UEFI harmless in servers. And probably with success.[…]

Click to access Replace%20UEFI%20with%20Linux.pdf

https://www.golem.de/news/freie-linux-firmware-google-will-server-ohne-intel-me-und-uefi-1710-130840.html

https://osseu17.sched.com/event/ByYt/replace-your-exploit-ridden-firmware-with-linux-ronald-minnich-google

Ronald Minnich auf dem Open Source Summit in Prag

Maybe I missed it, but I didn’t see the video of this presentation archived.

 

MEAnalyzer v1.32.0 released

v1.32.0 includes:
Added support for CSME 11.8, 11.11 & 11.21 firmware
Added support for CSME 12 SPI FD Region structures
Added CSE Extension 22 for proper CSME 12 parsing
Added CSE Extension 14 Mod for proper DNX parsing
Added CSE Extension 5 Mod for proper Process parsing
Added CSE Extension data overflow error detection
Added CSE Extension data division error detection
Added CSE Extension data total size error detection
Improved CSE Extensions 1, 13 with CSME 12 support
Improved CSE Extension structure Revision detection
Fixed CSE unpacking crash at Key modules/regions
Fixed issues at unknown CSE Extension detection
Fixed wrong CSME 11 FIT PCH-H Z370 SKU detection

https://github.com/platomav/MEAnalyzer

 

Positive Tech at BlackHat EU: Running Unsigned Code in Intel ME

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such “God mode” capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools. Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics. In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Intel ME is the new Pandora’s Box…