How to remote hijack computers using Intel's insecure chips: Just use an empty login string
jim bell
jdb10987 at yahoo.com
Mon May 8 15:15:38 PDT 2017
From: Georgi Guninski <guninski at guninski.com>
>How to remote hijack computers using Intel's insecure chips: Just use an
empty login string
>https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/
This seems interesting as a description of the problem, too.:
https://threatpost.com/researcher-baseless-assumptions-exist-about-intel-amt-vulnerability/125390/
[partial quote follows]
Researchers at Embedi who found the critical Active Management Technology (AMT) flaw in Intel chips said in a blog published today there were “a tremendous amount of baseless assumptions” being made about the vulnerability.According Embedi CTO Dmitry Evdokimov, an information vacuum has predictably sparked false assumptions about the vulnerability, otherwise known as Intel Standard Manageability Escalation of Privilege – INTEL-SA-00075 (CVE-2017-5689).For starters, the date range of Intel systems affected by this vulnerability (version 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6) goes from 2010 to 2011; no Intel firmware related to this vulnerability was in use before 2010, Embedi said. Evdokimov refuted reports that the AMT vulnerability dates back as many as nine years to when the AMT feature was first introduced.Embedi said its hands are tied and it can’t release granular details on the AMT flaw, but promised a fuller account once Intel and other stakeholders have a chance to patch systems. “Intel representatives have asked Embedi to hold off on disclosing any technical details regarding this issue until further notice,” according to a blog post by Embedi titled MythBusters.Evdokimov emphasizes the vulnerability is not associated with a remote code execution (RCE) bug as others had assumed in reports following Intel’s security bulletin. Rather, Evdokimov emphasized the flaw Embedi researchers found was a logical vulnerability, details of which he also could not disclose.“RCE is a technical vulnerability like a coding mistake. A logical vulnerability finds flaws in the way the application makes decisions,” explained Evdokimov in an interview with Threatpost.He also said the vulnerability impacts only Intel PCs, laptops and servers with the enabled Intel AMT feature turned on. No consumer PCs are affected–a distinction not consistently made in reporting of the vulnerability. However, Evdokimov also noted; “in our recent researches we’ve discovered some cases which allows attacks even on systems without the official AMT-support could be at risk.” He declined to elaborate.“The vulnerability discovered is a logical vulnerability in some AMT network protocols which allows a remote attacker to take full control (log in as admin) of any AMT service the system is capable of,” Evdokimov said.He said the vulnerability could allow an attacker to gain a remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN and BIOS setup and editing.But Evdokimov points out when any of the above AMT features are activated by a third party, the activities of the attacker can’t be easily hidden from the target system user.He said the vulnerability was discovered by Embedi researcher Maks Malyutin in mid-February. The vulnerability was disclosed to Intel on March 3.Evdokimov noted that the logical vulnerability that Embedi found was unrelated to a flaw identified in June 2016 by a researcher who claimed that there was a remotely exploitable security hole inthe Intel Management Engine that created a secret backdoor allowing a third party to use undetectable rootkits against Intel PCs. A number of reports, following Intel’s disclosure, made the assumption the vulnerabilities were related, he said.“There is no relation. Actually, the researcher wrote about the “backdoor” capabilities of Intel ME subsystem (access to DRAM, out-of-band access to a network interface and other administration and control capabilities used by Intel AMT technology). It is scary to have this subsystem inside each computer system, but it is unrelated.”Given those disclosure date of March 3, some in the research community are scratching their heads over a sharp increase in the scanning of ports 16992 or 16993, used by systems administrators to manage workstations remotely over a network.“Intel released their advisory yesterday, yet people started scanning for 16992 or 16993 last month,” tweeted a researcher who goes by the handle x0rz.[end of partial quote]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 13199 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170508/da5b2ccb/attachment.txt>
More information about the cypherpunks
mailing list