Intel AMT Firmware Vulnerability CVE-2017-5689

https://www.ssh.com/vulnerability/intel-amt/

This page by SSH collects information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689).
Your servers are in danger now through Intel AMT technology! 

AMT enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets. Essentially, AMT allows remote access to the system’s memory and disk over the network while the operating system is running. 

The exploit is trival, max five lines of Python, could be doable in one-line shell command. IT GIVES FULL CONTROL OF AFFECTED MACHINES, INCLUDING ABILITY TO READ AND MODIFY EVERYTHING.

DISABLE AMT TODAY! ASK QUESTIONS LATER. 

For data centers, if you can, FIREWALL THEM OFF. Block ports 16992, 16993, 16994, 16995, 623, 664 NOW.

See Embedi white paper on the Intel AMT Vulnerability Exploitation details

In essence, the web user interface uses HTTP digest authentication for the admin account. Send an empty digest response, and you are in. That simple. 

This is worse than giving everyone root access on every server whose AMT port they can communicate with. And to every virtual machine, container, and database running on those servers.

I wish the world would have been given a few weeks to fix this.

Expect exploits over the weekend. 


69 Comments

  1. Tomi Engdahl says:

    Neutralizing the Intel Management Engine on Librem Laptops
    https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/

    Ladies and Gentlemen, Clean Your Engines!
    I am happy to say that neutralizing the ME works! I investigated the effectiveness of neutralizing the Management Engine using the me_cleaner tool (which is an amazing feat of the community

    https://github.com/corna/me_cleaner

    Reply
  2. Tomi Engdahl says:

    Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
    As creator of OS on the chips calls out Chipzilla
    https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/

    Positive Technologies, which in September said it has a way to drill into Intel’s secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

    The biz has already promised to demonstrate a so-called God-mode hack this December, saying they’ve found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

    For those who don’t know, for various processor chipset lines, Intel’s Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you’re managing large numbers of computers\, especially when an endpoint’s operating system breaks down and the thing won’t even boot properly.

    Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

    For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB.

    With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited ta a later date.

    Reply
  3. Tomi Engdahl says:

    Google Working To Remove MINIX-Based ME From Intel Platforms
    https://linux.slashdot.org/story/17/11/09/2121237/google-working-to-remove-minix-based-me-from-intel-platforms

    Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore.

    Google Working To Remove MINIX-Based ME From Intel Platforms
    http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html

    Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

    Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore. At its inception in 2006, the ME was reportedly located on the MCH (northbridge), but when that became integrated into the CPU beginning with Nehalem, ME was moved to the PCH (current-day “southbridge”).

    Where the ME’s code is stored also isn’t clear. Intel has said that it, at least at one point, was loaded into system DDR RAM. The ME has access to many, if not all, of the platform’s integrated devices, such as Intel network controllers. It can also access the main system RAM (the DDR RAM) through DMA. Much has changed in Intel’s platform since some of this was reported, however, so the state of ME now isn’t well understood. Intel, of course, keeps many of the details veiled in secrecy for security purposes.

    Reply
  4. Tomi Engdahl says:

    Well, crap. It might have finally happened. [Maxim Goryachy] and [Mark Ermolov] have obtained fully functional JTAG for Intel CSME via USB DCI. What the hell does that mean? It means you can plug something into the USB port of a computer, and run code on the Intel Management Engine (for certain Intel processors, caveats apply, but still…). This is doom. The Intel ME runs below the operating system and has access to everything in your computer. If this is real — right now we only have a screenshot — computer security is screwed, but as far as anyone can tell, me_cleaner fixes the problem. Also, Intel annoyed [Andy Tanenbaum].

    Source: https://hackaday.com/2017/11/12/hackaday-links-supercon-sunday/

    More:
    Tool for partial deblobbing of Intel ME/TXE firmware images
    https://github.com/corna/me_cleaner

    Reply
  5. Tomi Engdahl says:

    Is Intel’s Management Engine Broken yet?
    https://hackaday.com/2017/11/17/is-intels-management-engine-broken-yet/

    Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top of the cake is that they are able to do it via a USB port acting as a JTAG port. Does this mean the zombie apocalypse is coming?

    Before the Skylake CPU line, released in 2015, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer’s chassis. Starting with the Skylake CPU, Intel replaced the ITP-XDP interface and allowed developers and engineers to access the debugging utility via common USB 3.0 ports, accessible from the device’s exterior, through a new a new technology called Direct Connect Interface (DCI). Basically the DCI provides access to CPU/PCH JTAG via USB 3.0. So the researchers manage to debug the IME processor itself via USB DCI, which is pretty awesome, but USB DCI is turned off by default, like one of the researchers states, which is pretty good news for the ordinary user. So don’t worry too much just yet.

    Reply
  6. Tomi Engdahl says:

    Intel Chip Flaws Leave Millions of Devices Exposed
    https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/

    Security researchers have raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research.

    Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
    Bugs can be exploited to extract info, potentially insert rootkits
    https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

    Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.

    The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.

    In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:

    6th, 7th and 8th Generation Intel Core processors
    Intel Xeon E3-1200 v5 and v6 processors
    Intel Xeon Scalable processors
    Intel Xeon W processors
    Intel Atom C3000 processors
    Apollo Lake Intel Atom E3900 series
    Apollo Lake Intel Pentiums
    Celeron N and J series processors

    The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.

    It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.

    The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.

    Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.

    Reply
  7. Tomi Engdahl says:

    Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
    https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

    In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

    As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.

    Affected products:

    6th, 7th & 8th Generation Intel® Core™ Processor Family
    Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
    Intel® Xeon® Processor Scalable Family
    Intel® Xeon® Processor W Family
    Intel® Atom® C3000 Processor Family
    Apollo Lake Intel® Atom Processor E3900 series
    Apollo Lake Intel® Pentium™
    Celeron™ N and J series Processors

    Intel has released a downloadable detection tool located at http://www.intel.com/sa-00086-support , which will analyze your system for the vulnerabilities identified in this security advisory.

    Intel highly recommends checking with your system OEM for updated firmware. Links to system manufacturer pages concerning this issue can be found at http://www.intel.com/sa-00086-support

    Intel highly recommends that all customers install the updated firmware and Intel® Capability License Service on impacted platforms.

    Reply
  8. Tomi Engdahl says:

    U.S. government warns businesses about cyber bug in Intel chips
    https://www.reuters.com/article/us-intel-cyber-vulnerability/u-s-government-warns-businesses-about-cyber-bug-in-intel-chips-idUSKBN1DM01R

    The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

    The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

    Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

    For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

    Reply
  9. Tomi Engdahl says:

    To fix Intel’s firmware fiasco, wait for Christmas Eve or 2018
    And cross your fingers: ‘TBD’ is the scheduled date for hundreds of PC fixes
    https://www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/

    The world’s top PC-makers have started to ship fixes for the multiple flaws in Intel’s CPUs, but plenty won’t land until 2018.

    The flaws struck multiple flaws in Intel’s Management Engine, Server Platform Services, and Trusted Execution Engine and make it possible to run code that operating systems – and therefore sysadmins and users – just can’t see.

    Intel acknowledged the bugs after Positive Technologies publicised attack vectors for the flaws.

    PC-and-server-makers have since rushed to advise of their fixes, but not all have made them available immediately.

    Lenovo’s advisory listed seven machines for which the date of fix delivery is “TBD” – to be determined.

    That’s a lovely small number compared to Acer, which has given 240 models the TBD treatment.

    It’s therefore making Dell look good: it has just 191 TBD PCs.

    HPE appears to have downloads ready to go, but Fujitsu’s only readied them for Japanese and EMEA customers

    It gets worse: plenty of the affected CPUs were sold to manufacturers of network attached storage or other appliances.

    Reply
  10. Tomi Engdahl says:

    Device Manufacturers Working on Patches for Intel Chip Flaws
    http://www.securityweek.com/device-manufacturers-working-patches-intel-chip-flaws

    Acer, Dell, Fujitsu, HPE, Lenovo, Intel and Panasonic are working on releasing patches for the recently disclosed vulnerabilities affecting Intel CPUs, but it could take a while until firmware updates become available to all customers.

    After external researchers identified several potentially serious vulnerabilities affecting its Management Engine (ME) and Active Management Technology (AMT), which allow users to remotely manage computers, Intel has decided to conduct a comprehensive review of the products.

    The analysis revealed the existence of several vulnerabilities in ME, Trusted Execution Engine (TXE) and Server Platform Services (SPS). The security holes can be leveraged to impersonate the ME, SPS and TXE services and impact the validity of local security feature attestation, execute arbitrary code without being detected by the user or the operating system, and crash the system or make it unstable.

    Reply
  11. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    PC vendors scramble to issue patches after Intel announced firmware flaws allowing remote code execution affecting a wide range of chips and millions of devices

    PC vendors scramble as Intel announces vulnerability in firmware [Updated]
    Millions of computers could be remotely hijacked through bug in firmware code.
    https://arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/

    Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.

    The bugs affect the following Intel CPUs:

    Intel Core processors from the 6th generation (“Skylake”), 7th generation (“Kaby Lake”), & 8th Generation (“Kaby Lake-R” and “Coffee Lake”) families—the processors in most desktop and laptop computers since 2015;
    Multiple Xeon processor lines, including the Xeon Processor E3-1200 v5 & v6 Product Family, Xeon Processor Scalable family, and Xeon Processor W family;
    The Atom C3000 Processor Family and Apollo Lake Atom Processor E3900 series for networked and embedded devices and Internet of Things platforms, and
    Apollo Lake Pentium and Celeron™ N and J series Processors for mobile computing.

    The highest-level vulnerabilities, rated at 8.2 and 7.5 on the Common Vulnerability Security Scale (CVSSv3) respectively, are in the most recent versions of Intel Management Engine. They have the broadest impact on PC users: they allow arbitrary remote code execution and privileged information access. Dell has issued a statement on the MX advisory that lists more than 100 affected systems, including a variety of Inspiron, Latitude, AlienWare, and OptiPlex systems; Lenovo has a similarly vast list posted on its site.

    Reply
  12. Tomi Engdahl says:

    Security
    Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
    Bugs can be exploited to extract info, potentially insert rootkits
    https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

    Reply
  13. Tomi Engdahl says:

    Linux laptop-flinger says bye-bye to buggy Intel Management Engine
    ‘Disabling the ME will reduce future vulnerabilities’
    https://www.theregister.co.uk/2017/12/01/system76_bans_bugridden_intel_management_engine/

    In a slap to Intel, custom Linux computer seller System76 has said it will be disabling the Intel Management Engine in its laptops.

    Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers.

    One of the most important vulnerabilities is in the black box coprocessor – the Management Engine – which has its own CPU and operating system that has complete machine control. It’s meant for letting network admins remotely log into servers and workstations to fix any problems (such as not being able to boot).

    The bugs – as security researchers discovered – allow for installing rootkits and spyware on machines that could steal or tamper with information. So, perhaps unsurprisingly, several vendors – including Lenovo – have been quick to patch the bugs.

    Denver, Colorado-based System76, meanwhile, has just banned the Management Engine outright.

    http://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan

    Reply
  14. Tomi Engdahl says:

    System76 to Disable Intel ME on Laptops Due to Security Flaws
    http://www.securityweek.com/system76-disable-intel-me-laptops-due-security-flaws

    Following the discovery of several potentially serious vulnerabilities in Intel’s Management Engine (ME), computer seller System76 announced its intention to disable the feature on its laptops with a future firmware update.

    In the past months, Intel and third party security researchers discovered a significant number of flaws in ME and Active Management Technology (AMT), which allow users to remotely manage devices. The security holes can be exploited to execute arbitrary code without being detected by the user or the operating system, bypass security features, and crash systems.

    Intel has released patches for these vulnerabilities and vendors such as Acer, Dell, Fujitsu, HPE, Lenovo, and Panasonic informed customers that they are also working on firmware updates that address the weaknesses.

    System76, which provides Linux-powered laptops, desktops and servers, has decided to address the risks introduced by Intel ME by disabling the feature altogether.

    Reply
  15. Tomi Engdahl says:

    Another Defeat of the Intel Management Engine
    https://hackaday.com/2017/12/07/another-defeat-of-the-intel-management-engine/

    If you have a computer with an Intel processor that’s newer than about 2007, odds are high that it also contains a mystery software package known as the Intel Management Engine (ME). The ME has complete access to the computer below the operating system and can access a network, the computer’s memory, and many other parts of the computer even when the computer is powered down. If you’re thinking that this seems like an incredible security vulnerability then you’re not alone, and a team at Black Hat Europe 2017 has demonstrated yet another flaw in this black box (PDF), allowing arbitrary code execution and bypassing many of the known ME protections.

    [Mark Ermolov] and [Maxim Goryachy] are the two-man team that discovered this exploit, only the second of its kind in the 12 years that the ME has been deployed. Luckily, this exploit can’t be taken advantage of (yet) unless an attacker has physical access to the device. Intel’s firmware upgrades also do not solve the problem because the patches still allow for use of older versions of the ME.

    https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

    Reply
  16. Tomi Engdahl says:

    https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

    Over the past 12 years,
    only one
    vulnerability allowing execution of
    arbitrary code
    on ME has been found!

    15
    Now we have two of them!

    Potential attack vectors
    (ways to impact)


    Local communication interface (HECI)

    Network (vPro only)

    IPMI/MCTP

    Host memory (UMA)

    Firmware SPI layout

    Internal file system

    HECI

    Main interface for communication between host and
    ME

    Represented as PCI device

    Transports dozens of ME service protocols

    Undocumented; some protocol formats can be found in
    coreboot

    MEBx and BIOS use HECI to set up ME

    Used by Intel tools for updating and manufacture
    -
    line
    configuring

    Reply
  17. Tomi Engdahl says:

    An open and updated letter to Intel by Andrew S. Tanenbaum – Creator of MINIX. Minix is used by Intel ME as a spy engine. Why is Intel not listing to its customers? Why not release a patch/firmware updated that allows to disable Intel ME? Does Intel have some hidden agenda or agreement with the governments to keep spy engine running on my PC? http://www.cs.vu.nl/~ast/intel/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*