Tag: Intel

Intel Platform Armoring and Resiliency team seeks BIOS intern

~ hucktech ~ Leave a comment

Interesting: Intel SSG has a “Platform Armoring and Resiliency (PAR)” team! Wish I had more details on what they do (besides inferring from job postings). If you’re on the PAR team and you have a home page or more public info, please leave a Comment.

Security BIOS Engineering Intern Hillsboro, OR
Job ID: JR0034895
Job Category: Intern/Student

Intel Corporation’s Software and Services Group (SSG) is looking for an intern to work in the area of platform firmware resiliency. The Platform Armoring and Resiliency PAR team within SSG is responsible for creating a secure firmware capability within Intel and the ecosystem to proactively ensure the standard boot and recovery infrastructure of IA platforms is both usable and secure[…]

* Utilizing fuzzing and symbolic execution tools to explore target binaries
* Prototyping new functionality in UEFI/BIOS
* Developing/supporting software tools in C and Python
* Gathering and analyzing execution traces to identify patterns of interest
* Utilizing QEMU or virtualization environments to analyze target binaries

Preferred:
* 3 months experience with Intel Model-Specific Registers (MSRs) or Configuration Space Registers (CSRs)
* 3 months experience with developing kernel modules or kernel code

http://jobs.intel.com/ShowJob/Id/1352713/Security%20BIOS%20Engineering%20Intern

A bit less interesting: Intel HR webmaster posts URLs with spaces in them. 😦

Intel MeshCentral2 updated with Load Balancer & Peering Support

~ hucktech ~ Leave a comment

Intel has released an updated version of MeshCentral2, an Intel AMT-based management tool for Windows. New version has “server peering” support, which I confess I don’t yet understand what that means, but sounds signficant, something to learn about…

[…]MeshCentral2 is a free open source web-based remote computer management solution allowing administrators to setup new servers in minutes and start remotely controlling computers using both software agent and Intel® AMT. The server works both in a LAN environment and over the Internet in a WAN setup. Now, I just released a new version with support for server-to-server peering allowing for improved fail-over robustness and scaling. Some technical details:

* Servers connect to each-other using secure web sockets on port 443. This is just like browsers and Mesh agents, so you can setup a fully working peered server installation with only port 443 being open.
* Server peering and mesh agent connections use a secondary authentication certificate allowing the server HTTPS public certificate (presented to browser) to be changed. This allows MeshCentral2 peer servers to be setup with different HTTPS certificates. As a result, MeshCentral2 can be setup in a multi-geo configuration.
* All of the peering is real-time. As servers peer together and devices connect to the servers, users see a real-time view on the web page of what devices are available for management. No page refresh required.
* MeshCentral2 supports TLS-offload hardware for all connections including Intel® AMT CIRA even when peering. So, MeshCentral2 servers can benefit from the added scaling of TLS offload accelerators.
* Fully support server peering for Browsers, Mesh Agents and Intel® AMT connections.
* The server peering system does not use the database at all to exchange state data. This boosts the efficiency of the servers because the database is only used for long term data storage, not real time state.
* There is no limit to how many servers you can peer, however I currently only tested a two server configuration.

https://software.intel.com/en-us/blogs/2017/09/21/meshcentral2-load-balancer-peering-support

http://www.meshcommander.com/meshcentral2

https://software.intel.com/sites/default/files/managed/ce/37/MeshCentral2-DualServer.png

 

Positive Tech at BlackHat EU: Running Unsigned Code in Intel ME

~ hucktech ~ Leave a comment

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such “God mode” capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools. Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics. In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Intel ME is the new Pandora’s Box…

 

Intel AMT Upgradable to Vulnerable Firmware

~ hucktech ~ Leave a comment

Intel AMT® Upgradable to Vulnerable Firmware
Intel ID: INTEL-SA-00082
Product family: Intel AMT®
Impact of vulnerability: Elevation of Privilege
Severity rating: Moderate
Original release: Sep 05, 2017
Last revised: Sep 05, 2017

Intel® Active Management Technology, Intel® Standard Manageability, and Intel® Small Business Technology firmware versions 11.0.25.3001 and 11.0.26.3000 can be upgraded to firmware version 11.6.x.1xxx which is vulnerable to CVE-2017-5689 and can be performed by a local user with administrative privileges.This version of firmware can potentially impact Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). Consumer PCs with consumer firmware and data center servers using Intel® Server Platform Services are not affected by this vulnerability. Intel recommends that users contact their system manufacturers for updated firmware which mitigates this issue. This issue was discovered during Intel internal validation.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00082&languageid=en-fr

 

Passmark’s memtest86 issues [with Minnowboards]

~ hucktech ~ Leave a comment

You might want to re-run memtest on some machines before discarding systems as broken. Some Minnowboards were failing memory tests. Intel looked into it and says:

We have tracked down the issue and found that memtest86 tool is using a function call with rare but legitimate NULL value which causes memory test failure.
Currently we are working to update BIOS firmware with fix to prevent this memory test function call failure from memtest86 tool.
Again this is protocol interface issue between memtest86 and our FW driver, there is no hardware issue found with memory on Minnowboard.

See elinux-minnowboard thread for details:

https://www.memtest86.com/troubleshooting.htm

https://www.memtest86.com/technical.htm

http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20170828/thread.html

 

CVE-2017-3753: AMI Lenovo UEFI SMM vulnerability

~ hucktech ~ Leave a comment

Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.

BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753
Lenovo Security Advisory: LEN-14695
Severity: High
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017

Potential Impact: Execution of code in SMM by an attacker with local administrative access

A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)

https://nvd.nist.gov/vuln/detail/CVE-2017-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3753
https://support.lenovo.com/us/en/product_security/len-14695
AFAICT nothing on the AMI site on this.

Google Pawn: Intel firmware dumping tool!

~ hucktech ~ Leave a comment

Exciting, Google has a new tool that helps dump the UEFI/BIOS into a rom.bin, like FlashROM and CHIPSEC! Pawn is written in C++/C, Apache-licensed, requires Linux and GCC toolchain. Given 2014-2017 copyright, it has been around for YEARS, only went public 3 months ago, and I just noticed it today. See below, I am still looking for “Bishop”…

Pawn BIOS Dumping Tool
Copyright 2014-2017 Google Inc.
Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.
Pawn is a tool to extract the BIOS firmware from Intel-based workstations and laptops. The name is a play on an internal tool that is also named after a chess piece.
[…]
sudo .build/pawn bios_image.bin
You can then use other tools like UEFITool to process the firmware image further.

https://github.com/google/pawn

What/where is Pawn’s companion utility, Bishop?? From pawn.cc comments:

Pawn, a companion utility to Bishop (go/bishop) to extract BIOS firmware from corp machines.

If you find it, please leave a Comment.

https://github.com/google?utf8=%E2%9C%93&q=Bishop&type=&language=

https://github.com/search?q=topic%3Afirmware-tools+org%3Agoogle&type=Repositories

 

Alex on Intel segmentation

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/894547724904931328

https://twitter.com/aionescu/status/894547838717366272

https://twitter.com/aionescu/status/894475252625018882

[…]What I discovered completely changed my understanding of 64-bit Long Mode semantics and challenged many assumptions I was making – pinging a few other experts, it seems they were as equally surprised as I was (even Mateusz”j00ru” Jurczyk wasn’t aware!). Throughout this blog post, you’ll see how x64 processors, even when operating in 64-bit long mode[…]

http://www.alex-ionescu.com/?p=340

See-also:

HTTP Boot support in Tianocore

 

 

Intel Graphics Driver for Windows: DoS vulnerability

~ hucktech ~ Leave a comment

Excerpt of advisory below, see full one for list of drivers impacted.

DoS in Kernel in multiple versions of the Intel Graphics Driver allows local attacker to perform a DoS via an Out of Bounds Read

Intel ID: INTEL-SA-00077
Product family: Mobile, Desktop, Server, Workstation, and Embedded processors based on Intel® Core™ and Atom™ Processors using an affected driver.
Impact of vulnerability: Denial of Service
Severity rating: Moderate
Original release: Jul 31, 2017
Last revised: Aug 01, 2017

Out-of-bounds read condition in older versions of some Intel® Graphics Driver for Windows code branches allows local users to perform a denial of service attack. Intel recommends that users download and upgrade to the latest supported driver. Intel would like to thank Enrique Nissim of IOActive for reporting this issue and working with us on a coordinated disclosure.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00077&languageid=en-fr

Intel’s Black Hat UEFI presentation online

~ hucktech ~ Leave a comment

Vincent has a new blog post about the recent talk about UEFI security that Intel just gave at Black Hat Briefings.

http://vzimmer.blogspot.com/2017/08/black-hat-usa-2017-firmware-is-new-black.html

https://www.blackhat.com/us-17/briefings.html#firmware-is-the-new-black-analyzing-past-three-years-of-bios-uefi-security-vulnerabilities

https://github.com/rrbranco/BlackHat2017

Click to access BlackHat2017-BlackBIOS-v0.13-Published.pdf

https://www.darkreading.com/vulnerabilities—threats/7-hardware-and-firmware-hacks-highlighted-at-black-hat-2017/d/d-id/1329442

Intel on SSD secure erase feature

~ hucktech ~ Leave a comment

What is secure erase, and is it certified on an Intel® SSD?
by Doug DeVetter | July 31, 2017
Intel SSD used with Secure Erase

I’m often asked whether the secure erase feature within Intel® SSDs is certified by NIST, U.S. DoD, or other government or industry bodies. Intel has implemented the secure erase feature consistent with the ATA and NVMe specifications. The designs and implementations have been internally reviewed and validated. A third-party has tested the implementation on a subset of our products and reported that the data was unrecoverable. Intel is unaware of any industry or government body which certifies or approves the implementation of this technical capability. NIST SP 800-88 is often cited as the guideline to be followed in the United States with regard to secure erase. NIST provides guidelines, however, NIST does not certify compliance to these guidelines. In addition to being consistent with the ATA and NVMe specifications, our implementation of secure erase is in line with the NIST guidelines for data sanitization.[…]

https://itpeernetwork.intel.com/secure-erase-certified-intel-ssd/

https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/secure-erase-for-ssds-helps-sanitize-data-boost-efficiency-brief.html

Brian on UEFI security

~ hucktech ~ Leave a comment

Brian Richardson of Intel recently gave a talk about UEFI security at BSides Asheville, NC. Slides are on the below blog URL:

What you don’t know about firmware might get you 0wn3d

Following firmware developers on social media during Black Hat & Def Con can be a bit bewildering. Firmware is becoming more important in the realm of cybersecurity research. Most of the work I do is working with other firmware developers to make sure they understand current capabilities and trends, but that work may take months or years to hit the market. The people on the front lines of computer security need some understanding of what they can do today to help secure their systems. While many of my colleagues spent a very hot and crowded week in Las Vegas, I had a much cooler weekend at the Bsides conference in Asheville, NC. My “What you don’t know about firmware might get you 0wn3d” presentation is designed to describe the importance of firmware in computer security, and what can be done today to mitigate and detect common attacks against firmware. There are practical methods to prevent a number of common bootkit/rootkit attacks, platform security features to consider when purchasing new systems, and responsible ways to research firmware issues.[…]

https://software.intel.com/en-us/blogs/2017/07/29/what-you-don-t-know-about-firmware-might-get-you-0wn3d