INTEL announces vulnerabilities in Firmware

[tovian]

PC vendors scramble as Intel announces vulnerability in firmware [Updated]

Millions of computers could be remotely hijacked through bug in firmware code.


This is not good.
This article has a link to a vulnerability detection tool for Linux (and Windows).

Linux Download

[Schultz]

I downloaded the tool but don't know how to start it. Can anyone help? I read on Intel's site that it is "a command line executable," but it doesn't give any instructions.

[jimallyn]

Navigate to wherever you saved the file with your file manager. Right click on it, then click "Extract here." Open a terminal and use cd to navigate to the SA00086_Linux folder that you just unzipped. Type ./intel_sa00086.py and press Enter. That should do it. I did not have to make any of those files executable, they already were when I unzipped them. If you have any problems, inside that SA00086_Linux is another folder called 'documents.' The .pdf file has instructions if you need them.

[Schultz]

Thanks for the help jimallyn. My system is not vulnerable.

[jimallyn]

My system is not vulnerable.

Unfortunately, mine is. I unplugged the network cable when I left the house today.

[Faust]

Unfortunately, mine is. I unplugged the network cable when I left the house today.

Yes , one of mine also , but while it is undoubtedly " a bad thing " , it is not disastrous and I don't believe that drastic measures are needed .
Keep in mind that to exploit the vulnerability locally , physical access to the machine is needed .
Remote exploitation requires root privileges , and we are smart enough to NOT run as root ( and Mint actively discourages us from doing this ) .

As I mentioned in another thread , reliable information on this is scarce and Intel seem to be rather coy about giving us the full picture .
For example , it would be very useful to know which ports are being used so that they could be blocked by a firewall .

In my notes I have these listed ( but no link to the source .... doh ! )

16992, 16993, 16994, 16995, 623, 664

I'd be interested to hear from other members who are looking into this .

[jimallyn]

Good points, Faust. I went back and read the article again, and I'm feeling a bit better now! I wish Intel would abandon the notion that putting malware in their CPUs is a good idea.

[Faust]

Update :
The Electronic Frontier Foundation has directly challenged Intel on this matter , and they replied , but only to nit-pick about details in the article
( which eff promptly corrected ) .... it changes nothing .
They have completely ignored the demands from eff to " do the right thing "

" So we call upon Intel to:

Provide clear documentation for the software modules that are preinstalled on various Management Engines.
What HECI commands provide a full list of the installed modules/services? What are the interfaces to those services?

Provide a way for their customers to audit ME code for vulnerabilities. That is presently impossible because the code is kept secret.

Offer a supported way to disable the ME.
If that’s literally impossible, users should be able to flash an absolutely minimal, community-auditable ME firmware image.
On systems where the ME is an essential requirement for other security features that are important to some users (like Boot Guard),
offer an additional option of a near-minimal, community-auditable ME firmware image that performs these security functions, and nothing else.
Or alternatively, a supported way to build and flash firmware images where the user can inspect and control which services/modules are present,
in order to manage security risks from those modules. "

https://www.eff.org/deeplinks/2017/05/i ... disable-it

There is certainly no help available on Intel's own site :
https://software.intel.com/en-us/articl ... -intel-amt

[Pjotr]

Navigate to wherever you saved the file with your file manager. Right click on it, then click "Extract here." Open a terminal and use cd to navigate to the SA00086_Linux folder that you just unzipped. Type ./intel_sa00086.py and press Enter. That should do it. I did not have to make any of those files executable, they already were when I unzipped them. If you have any problems, inside that SA00086_Linux is another folder called 'documents.' The .pdf file has instructions if you need them.

Note that you have to run the command with sudo: sudo ./intel_sa00086.py

1. Without sudo:

pjotr@MD99587 ~/Downloads/intel $ ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-23 10:05:03 GMT

*** Host Computer Information ***
Name: MD99587
Manufacturer: MEDION
Model: E4213 MD99587
Processor Name: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz
OS Version: LinuxMint 18.3 sylvia (4.11.0-14-generic)

This tool needs elevated privileges to run.

*** Risk Assessment ***
Detection Error: This system may be vulnerable.

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advis ... geid=en-fr

2. With sudo:

pjotr@MD99587 ~/Downloads/intel $ sudo ./intel_sa00086.py
[sudo] wachtwoord voor pjotr:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-23 10:05:37 GMT

*** Host Computer Information ***
Name: MD99587
Manufacturer: MEDION
Model: E4213 MD99587
Processor Name: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz
OS Version: LinuxMint 18.3 sylvia (4.11.0-14-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 1.1.2.1120
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advis ... geid=en-fr

[michael louwe]

@ jimallyn, .......

My system is not vulnerable.

Unfortunately, mine is. I unplugged the network cable when I left the house today.

.
According to this link https://www.howtogeek.com/56538/how-to- ... t-crashes/ on how to configure computers for Remote Management with the Intel MEBx/AMT/vPro feature, I do not think you need to take such preventive measures against the Intel ME vulnerability except to make sure that the feature is disabled in BIOS-1 level. Many steps are required before this deep remote access feature can be used. So, even unpatched Intel computers may not be vulnerable.
... Likely, it is mostly only computers which have already been such configured by businesses' System Admins for Remote Management, that are vulnerable and need to be patched.

[Flemur]

[*** Risk Assessment ***
Detection Error: This system may be vulnerable.

I get that with or without "sudo" - they're exactly the same.

But great web page (download) they have there! Thousands of lawyer words, but not one word of instructions on how to run the thing.

please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:https://security-center.intel.com/advisory.aspx?inte ...

That link has no information on how to "install the Intel(R) MEI/TXEI driver" - it doesn't even mention MEI.

[Schultz]

Pjotr wrote:
Note that you have to run the command with sudo

Here's how I did it: I opened the folder that contained "intel_sa00086.py" as administrator, and double-clicked it, and in the selection window that asked what to do, I selected run. I'm assuming that since I opened the containing folder as administrator, that the file was also run as administrator. Is that correct? Or did I need to also run the file itself as administrator?

[jimallyn]

Note that you have to run the command with sudo: sudo ./intel_sa00086.py

I get precisely the same output whether I use sudo or not. I do not get any message that it needs elevated privileges. Interesting.

[Minterator]

Asus doesn't have ME firmware update for this mobo, what next?

Code: Select all

sudo ./intel_sa00086.py 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.128
Scan date: 2017-11-24 22:45:53 GMT

*** Host Computer Information ***
Name: Asus-h170
Manufacturer: System manufacturer
Model: System Product Name
Processor Name: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
OS Version: LinuxMint 17.3 rosa (4.11.12-041112-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.0.10.1002
SVN: 1

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086.
Contact your system manufacturer for support and remediation of this system.


For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

[Faust]

Asus doesn't have ME firmware update for this mobo, what next? ....

First of all " Do Not Panic " ( The Hitch-hikers Guide to the Galaxy is very specific on that point )

The manufacturer of one of my affected machines is not on that Intel list either , so it may be a long wait for some folks .
Even without the " band-aid" fix being offered , the potential attack-surface is still tiny for the vast majority of users ,
who may have " compromised " hardware .

Keep in mind that ALL systems are vulnerable to attack via USB ports ( STUXNET is all the proof that is needed )

A system that is booted and unattended can be compromised in seconds , even if the user is not logged in !
And a machine that is not powered-up is still vulnerable .... eg. attack by the aptly-named " Evil Maid " ,
.... most safes in hotel rooms are too small to hold a laptop .
I have seen machines with all of the USB ports sealed with hot glue , in fact some companies do this as a matter of policy .
[People who attend major hacker conventions such as DefCon have been known to take even more drastic measures ! ]

So that is one of the main attack vectors for any potential malicious exploitation of Intel ME .
The other being remote , which requires unauthorized elevation , and that should not bother us Mint users

In short , this latest security mess ( of Intel's own making ) is much less of a threat than it first appears .

[Minterator]

Good points, Faust. I went back and read the article again, and I'm feeling a bit better now! I wish Intel would abandon the notion that putting malware in their CPUs is a good idea.

It's in the chipset, not the CPU. It's a separate MINIX mini-OS that works independently of Windows/Linux regardless of root/administrator privilege. It's a Big Brother backdoor that could give the NSA complete access to the entire system's memory space. My H170 machines are vulnerable and there's no fimrware update from Asus (yet?), my H270 has a patch from Asus but it's a Windows executable https://www.asus.com/us/Motherboards/RO ... Desk_BIOS/

https://www.techpowerup.com/238677/mini ... inix-drama

https://gadgets.ndtv.com/laptops/news/i ... ty-1773805

There are cleaners that overwrite parts of the firmware, thereby disabling it. But it may also brick the machine.

https://github.com/corna/me_cleaner/wik ... it-work%3F

https://github.com/bartblaze/Disable-Intel-AMT

[BG405]

Note that you have to run the command with sudo: sudo ./intel_sa00086.py

I get precisely the same output whether I use sudo or not. I do not get any message that it needs elevated privileges. Interesting.

Same here.

Code: Select all

*** Risk Assessment ***
Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).

For more information refer to the SA-00086 Detection Tool Guide or the Intel security advisory Intel-SA-00086 at the following link:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

However, this CPU doesn't appear to be included in the list on that link. It's an Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz.

There is a box where you can tell them if you found the information useful or not, so I gave them this ...

What information? All I see is banners, an EULA (why is this spaced out to cover an acre of screen real-estate and in a tiny font? Hard to read and a PITA to navigate), but no actual information on this issue when I finally got to the bottom of it ...

Hope I wasn't too harsh but these people need to be told.

[CaptainKirksChair]

My system MAY be vulnerable, according to the tool from Intel. However, Dell says I am not vulnerable because the E6400s are not on their list.

[jimallyn]

Hope I wasn't too harsh but these people need to be told.

You weren't.

[BG405]

You weren't.

Thanks for that, prior to submitting it did have several revisions though! The drafts weren't quite as subtle