CVE-2018-12155, INTEL-SA-00202: Intel Integrated Performance Primitives advisory

December 6, 2018 ~ hucktech ~ Leave a comment

Advisory Category: Software
Impact of vulnerability: Information Disclosure
Severity rating: MEDIUM
Original release: 12/05/2018

A potential security vulnerability in Intel® IPP may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability. Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access. Intel recommends that users of Intel® IPP update to 2019 update1 or later. Updates are available for download […] Intel would like to thank an Wichelmann (Universität zu Lübeck), Ahmad Moghimi (Worcester Polytechnic Institute), Thomas Eisenbarth (Universität zu Lübeck) and Berk Sunar (Worcester Polytechnic Institute) for reporting this issue and working with us on coordinated disclosure.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00202.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12155

https://software.intel.com/en-us/intel-ipp

https://software.intel.com/en-us/ipp-dev-reference

MinnowBoard Max/Turbot firmware 1.00 released

November 22, 2018 ~ hucktech ~ Leave a comment

New release! MinnowBoard Max/Turbot firmware version 1.00 now available. Source & pre-built binaries available here: https://t.co/PpLneQUiim #firmware #uefi @MinnowBoard pic.twitter.com/2Ncvzeprcp

— Brian Richardson (@Intel_Brian) November 21, 2018

SUPPORTED (NEW) FEATURES AND CHANGES IN RELEASE:
1. The 64bit BIOS is now functional with Linux and Windows 8.1 Embedded/Windows 10.
2. The 32bit BIOS is now functional with Windows 8.1 Embedded/Windows 10.
3. Supports booting from "SD card", "USB drive" and "SATA".
4. Supports S3 resume for Linux, Windows 8.1 Embedded and Windows 10.
5. Supports S4 resume for Windows 8.1 Embedded and Windows 10.
6. Supports 64bit image GCC build (32bit image GCC build is not supported).
7. Update EDK II core from UDK2015 release to UDK2017.
8. Signed Capsule Update is supported.
9. Supports HTTP and HTTPS boot.
10. Add board UUID support.
11. Fixed the issue that USB device may not be detected at system power-on.
12. Main changes in this release
   1) Add microcode M0130679906 for D1 stepping.
   2) Produce SMBIOS type 1.
   3) Changed manufacture name.
   4) Fixed some open bugs. Please visit the following link for details.
      https://wiki.yoctoproject.org/wiki/Minnow_Bug_Triage

https://firmware.intel.com/projects/minnowboard-max
https://firmware.intel.com/sites/default/files/minnowboard_max-rel_1_00-releasenotes.txt

CHIPSEC v1.3.6 released

November 22, 2018 ~ hucktech ~ Leave a comment

New @CHIPSEC release available – CHIPSEC v1.3.6 https://t.co/Lsu8kIu8D8 courtesy of @geekboy15a

— Maggie Jauregui (@HoodlessHacker) November 20, 2018

New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform
Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module

New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version

See release notes for list of Fixes.

https://github.com/chipsec/chipsec/commits/master

https://github.com/chipsec/chipsec/releases/tag/v1.3.6

Intel security guidance: Host Firmware Speculative Execution Side Channel Mitigation

November 15, 2018 ~ hucktech ~ Leave a comment

[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.

Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]

https://software.intel.com/security-software-guidance/api-app/insights/host-firmware-speculative-execution-side-channel-mitigation

more info:

https://software.intel.com/security-software-guidance/software-guidance

Intel ‘patch Tuesday’: 8 new security advisories

November 14, 2018 ~ hucktech ~ Leave a comment

INTEL-SA-00199
Intel® RAID Web Console 3 Cross-site Scripting Vulnerability Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00199.html

INTEL-SA-00198
Intel® Ready Mode Technology File Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00198.html

INTEL-SA-00197
Intel® Media Server Studio for Windows® Vulnerability Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00197.html

INTEL-SA-00196
Intel® RAID Web Console 3 for Windows Authentication Bypass Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00196.html

INTEL-SA-00188
Intel® PROSet/Wireless WiFi Software Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00188.html

INTEL-SA-00187
Intel® Driver & Support Assistant Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00187.html

INTEL-SA-00180
Intel® Trace Analyzer 2018 Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00180.html

INTEL-SA-00153
Intel® Rapid Store Technology Installer Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00153.html

Intel: Protection at the Hardware Level [using SGX]

November 6, 2018 ~ hucktech ~ Leave a comment

Intel has a new document about hardware security and SGX:

There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel® SGX), available in its second-generation on the new Intel® Xeon® E-2100 processor, offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. We believe only Intel offers such a granular level of control and protection. Think about it like a lockbox in your home. Even though you have locks on your doors and a home security system, you may still secure your most sensitive data in a private lockbox with a separate key to provide extra layers of protection even if someone gained unwanted access to your home. Essentially, Intel® SGX is a lockbox inside a system’s memory, helping protect the data while it’s in-use during runtime.[…]

https://itpeernetwork.intel.com/hardware-security-sgx

upos.info: Latency, Throughput, and Port Usage Information For Instructions on Recent Intel Microarchitectures

November 4, 2018 ~ hucktech ~ Leave a comment

https://t.co/ADkG09C7cT: Latency, Throughput & Port usage information of instructions on ALL #INTEL CORE #MICROARCHITECTURES
[Paper] https://t.co/zgtEuZnrmW pic.twitter.com/6i2ydjiIaZ

— Hany Ragab (@hanyrax) October 13, 2018

This website provides more than 200,000 pages with detailed latency, throughput, and port usage data for most x86 instructions on all generations of Intel’s Core architecture (i.e., from Nehalem to Coffee Lake). While such data is important for understanding, predicting, and optimizing the performance of software running on these microarchitectures, most of it is not documented in Intel’s official processor manuals.

http://uops.info/

ZeroNights 2018: NUClear explotion

October 30, 2018 ~ hucktech ~ Leave a comment

Intel NUCs UEFI BIOS update process pwning (CVE-2018-12176 + CVE-2018-12158) + another Intel Boot Guard bypass (CVE-2018-3623) will be disclosed from #ZeroNights 2018 stage https://t.co/Ur5LEvdnJv

— Alexander Ermolov (@flothrone) October 29, 2018

Alexander Ermolov @flothrone and Ruslan Zakirov @ttbr0 : «NUClear explotion» #ZeroNights 2018

— ZeroNights (@ZeroNights) October 29, 2018

Alexander Ermolov and Ruslan Zakirov will deliver their «NUClear explotion» talk. A major and most significant approach to UEFI BIOS security is preventing it from being illegitimately modified and the SPI flash memory from being overwritten. Modern vendors use a wide range of security mechanisms to ensure that (SMM BLE / SMM BWP / PRx / Intel BIOS Guard) and hardware-supported verification technologies (Intel Boot Guard). In other words, they do everything just not to let an attacker to place a rootkit into a system. Even the likelihood of execution in the most privileged mode of a processor – System Management Mode (can be achieved through vulnerable software SMI handlers) – is of no interest to adversaries since it does not guarantee they will be able to gain a foothold in a system. A single reboot and an attack must be started anew. However, there is a thing that can make all BIOS security mechanisms inefficient. And this thing is a vulnerable update mechanism implemented by a vendor. Moreover, quite often a legitimate updater adds lots and lots of critical security holes to a system. In this talk, we will speak about how vendors manage to throw all those security flaws together in one system using Intel NUC, a small home PC, as an example. Besides, we will demonstrate how an adversary can compromise BIOS from the userland.

https://2018.zeronights.ru/en/news/the-selection-of-zeronights-2018-talks-is-finished/

Telemetry: Enhancing Customer Triage of Intel® SSDs

October 28, 2018 ~ hucktech ~ Leave a comment

by Behnam Eliyahu and Monika Sane

Telemetry refers to an umbrella of tools, utilities, and protocols to remotely extract and decode information for debugging potential issues with Intel® SSDs. Telemetry works over industry standard protocols, and eliminates or minimizes the need to remove SSDs from customer systems for retrieving debug logs. Telemetry thus enables host tools, Intel technical sales specialists, (TSS), Intel application engineers (AEs), and Intel engineering teams to better identify and debug performance excursions, exception events and critical failures in Intel® SSDs, without sending the physical drive to Intel for failure analysis. This capability is designed in accordance with NVMe* 1.3 telemetry specifications as well as corresponding ACS 4 SATA definitions (which are common industry standards), and is expected to accelerate debugging of external and internal bug sightings pertaining to Intel® SSDs. The key difference between NVMe and SATA is the fact that there is no controller-initiated capability on SATA drives.[…]

https://itpeernetwork.intel.com/telemetry-enhancing-customer-triage/

See-also:
https://github.com/linux-nvme/nvme-cli/blob/master/Documentation/nvme-telemetry-log.txt
https://github.com/linux-nvme/nvme-cli/blob/master/linux/nvme.h
https://jmetz.com/2018/02/whats-new-in-nvme-1-3/
https://nvmexpress.org/resources/specifications/

Intel seeks Security Researcher

October 22, 2018 ~ hucktech ~ Leave a comment

Responsible for secure design, development and operation of Intel’s hardware and software products and services. Responsibilities may include threat assessments, design of security components, and vulnerability assessment.
4+ years of experience in the field of system security research and exploring software and hardware techniques as a method of attack against targets within compute systems.
In-depth experience with security threats, vulnerability research, physical attack techniques (power analysis, fault injection, reverse engineering, etc.), side-channel attack methods.
Knowledge of security technologies: authentication, cryptography, secure protocol, etc.
Knowledge of computer architecture CPU, SoC, chipsets, BIOS, Firmware, Drivers, and others

https://jobs.intel.com/ShowJob/Id/1826346/Security%20Researcher

How Does an Intel Processor Boot?

October 14, 2018 ~ hucktech ~ Leave a comment

When we switch on a computer, it goes through a series of steps before it is able to load the operating system. In this post we will see how a typical x86 processor boots. This is a very complex and involved process. We will only present a basic overall structure. Also what path is actually taken by the processor to reach a state where it can load an OS, is dependent on boot firmware. We will follow example of coreboot, an open source boot firmware.[…]

https://binarydebt.wordpress.com/2018/10/06/how-does-an-x86-processor-boot/

6 new security advisories from Intel

October 10, 2018 ~ hucktech ~ Leave a comment

Intel® Server Boards Firmware Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00179.html

Intel® RAID Web Server 3 Service Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00171.html

Intel® NUC Bios Updater Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00168.html

Intel® NVMe and Intel® RSTe Driver Pack Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00166.html

Intel® Server Board Firmware Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00138.html

Brian on open source firmware

October 3, 2018 ~ hucktech ~ Leave a comment

Brian Richardson of Intel has a new blog post, after the Open Source Firmware Conference, on open source firmware issues:

New @IntelSoftware
blog: "Open Source Firmware: Two Ends of the Spectrum"https://t.co/pd5vWHkZZl pic.twitter.com/zRgQr9Jns7

— Brian Richardson (@Intel_Brian) October 2, 2018

https://software.intel.com/en-us/blogs/2018/10/01/open-source-firmware-two-ends-of-the-spectrum

Vincent on recent UEFI presentations

September 28, 2018 ~ hucktech ~ Leave a comment

Vincent has a new blog post, covering some of his recent tour of speaking engagements, with a bit on UEFI, and even some FSP humor.

http://vzimmer.blogspot.com/2018/09/east-and-further-east.html

Intel releases Slim Bootloader

September 14, 2018 ~ hucktech ~ Leave a comment

Yah Wen is at @osfc_io introducing the Intel® Slim Bootloader, which is live now in github. https://t.co/8hgwtCjbMO @IntelSoftware #firmware pic.twitter.com/nqKpxCaE4R

— Brian Richardson (@Intel_Brian) September 14, 2018

https://github.com/slimbootloader

https://slimbootloader.github.io/introduction/index.html#features

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

September 13, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys https://t.co/mVDNknGXlU #IntelME

— PT Security (@PTsecurity_UK) September 12, 2018

http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html

Intel releases 17 security advisories!

September 12, 2018 ~ hucktech ~ 1 Comment

17 Intel security advisories were released yesterday:https://t.co/VePcxty82x https://t.co/9DTRlutCht https://t.co/IBqCnX6mQQ https://t.co/VGFsZa98cR https://t.co/799u5acAey https://t.co/JCOr1HeBzf https://t.co/Yvn0cH0e3d https://t.co/xZqEEHagLt pic.twitter.com/93jG0yKkWW

— Trammell Hudson ⚙ (@qrs) September 12, 2018

Too many for one tweet:https://t.co/FFeMDm8TE5 https://t.co/dM3wzBy9FJ https://t.co/BzJSoCUs8k https://t.co/vIiZXmYUEE https://t.co/2Gfn76fW7m https://t.co/5npwqzyydN https://t.co/eXMoM0uNWe https://t.co/C2S6NlDvpt https://t.co/MxdeUtL9FX pic.twitter.com/C7rOxdmYev

— Trammell Hudson ⚙ (@qrs) September 12, 2018

https://www.intel.com/content/www/us/en/security-center/default.html

Intel® Distribution for Python 2018 for Windows Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00181.html

Intel® Centrino® Wireless-N and Intel® Centrino® Advanced-N products Bluetooth Driver Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00177.html

Intel® NUC Firmware Security Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00176.html

Intel® IoT Developers Kit Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00173.html

OpenVINO™ Toolkit for Windows Permissions Issue Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00172.html

Intel® Data Migration Software Improper Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00170.html

Intel® Driver & Support Assistant and Intel® Software Asset Manager Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00165.html

Intel® Extreme Tuning Utility Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html

Intel® Baseboard Management Controller (BMC) firmware Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00149.html

Intel® Server Board TPM Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00148.html

Intel® Data Center Manager SDK Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00143.html

Intel® Platform Trust Technology (PTT) Update Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00142.html

Intel® Active Management Technology 9.x/10.x/11.x/12.x Security Review Cumulative Update Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00141.html

Power Management Controller (PMC) Security Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html

Intel® CSME Assets Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

INTEL-SA-00086 Detection Tool DLL Injection Issue Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00119.html

Intel: The TPM2 Software Stack: Introducing a Major Open Source Release

September 10, 2018 ~ hucktech ~ Leave a comment

A newly completed Trusted Platform Module 2.0 (TPM2) software stack is being introduced, developed to comply with the most recent Trusted Computing Group (TCG) v1.38 specification and work on any TPM2 implementation. Partnering with key players within the domain of Trusted Computing such as Infineon and Fraunhofer SIT, Intel has made large investments in code improvements and new functionality compared to the previous version. This includes the initialization of the TSS Stack development and the SAPI, TCTI and abrmd layer. Based on this development, Infineon and Fraunhofer SIT enabled the support of the Enhanced System API (ESAPI) layer, which is intended to reduce programming complexity and to simplify the use and integration of the TPM.[…]

https://software.intel.com/en-us/blogs/2018/08/29/tpm2-software-stack-open-source

Tianocore UEFI hackathon

August 29, 2018 ~ hucktech ~ Leave a comment

We're happy to announce the first public TianoCore hack-a-thon as part of @osfc_io 2018, which will be focused on Signed UEFI Capsule Updates.

More Information: https://t.co/DQJmvZesco pic.twitter.com/qi6q47GffA

— tianocore (@tianocore) August 29, 2018

https://github.com/tianocore/tianocore.github.io/wiki/2018-EDK-II-Capsule-Hack-a-thon

“This is the first time Intel has staged a public TianoCore hack-a-thon event.”

Intel ME JTAG PoC for INTEL-SA-00086

August 27, 2018 ~ hucktech ~ Leave a comment

Ready to uncover Intel ME background? Use our PoC to activate JTAG and dump ME ROM https://t.co/PXDCrssolB

— Mark Ermolov (@_markel___) August 27, 2018

Almost year has passed since we reported the INTEL-SA-00086 vulnarability and we have published JTAG activation PoC for Intel ME. You can use JTAG for researching ME core (via DbC debug cable). Step-by-step instructions at https://t.co/TWbgEbrmNm pic.twitter.com/9lCJPYfLBF

— Maxim Goryachy (@h0t_max) August 27, 2018

Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version 3.0.1.1107).[…]

https://github.com/ptresearch/IntelTXE-PoC