-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintel-management-engine-vulnerabilities.html
160 lines (148 loc) · 8.01 KB
/
intel-management-engine-vulnerabilities.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Intel Management Engine Vulnerabilities</title>
<link rel="stylesheet" href="/theme/css/main.css" />
<!--[if IE]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body id="index" class="home">
<header id="banner" class="body">
<h1><a href="/">Hack-Char's Blog </a></h1>
<nav><ul>
<li class="active"><a href="/category/misc.html">misc</a></li>
</ul>
</nav>
</header><!-- /#banner -->
<section id="content" class="body">
<article>
<header>
<h1 class="entry-title">
<a href="/intel-management-engine-vulnerabilities.html" rel="bookmark"
title="Permalink to Intel Management Engine Vulnerabilities">Intel Management Engine Vulnerabilities</a></h1>
</header>
<div class="entry-content">
<footer class="post-info">
<span>Fri 01 December 2017</span>
<span>| tags: <a href="/tag/intel-me.html">Intel ME</a><a href="/tag/ime.html">ime</a></span>
</footer><!-- /.post-info --> <div class="section" id="intel-management-engine">
<h2>Intel Management Engine</h2>
<div class="section" id="what-is-it">
<h3>What is it?</h3>
<p>A few months ago, there was a white paper 'Silent Bob is Silent' describing an Intel ME vulnerability.
There were a whole slew of new vulnerabilities found <a class="reference external" href="https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr">Intel ME CVEs</a></p>
<p>The best write up describing these new issues is in this Trend Micro
<a class="reference external" href="http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/">blog</a></p>
</div>
<div class="section" id="what-s-vulnerable">
<h3>What's vulnerable?</h3>
<p>Everyone that bought a new computer in the last decade or so.
But might not be as disasterous as some have made it out to be. Assuming you don't have remote managability features enabled...</p>
<p>To get useful information, use this <a class="reference external" href="https://github.com/zamaudio/intelmetool">IntelMEtool utility</a>
Make sure to follow the instructions and <tt class="docutils literal">rmmod</tt> the me modules as well as issue a <tt class="docutils literal">iomem=relaxed</tt> to your kernel boot args.</p>
<p>The output for this tool on my computer looks like this (without trying to invasively remove the Intel ME):</p>
<pre class="literal-block">
Bad news, you have a `Sunrise Point-H CSME HECI #1` so you have ME hardware on board and it is very difficult to remove, continuing...
RCBA at 0x00000000
MEI was hidden on PCI, now unlocked
MEI found: [8086:a13a] Sunrise Point-H CSME HECI #1
ME Status : 0x90000245
ME Status 2 : 0x86110306
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : YES
ME: Manufacturing Mode : NO
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Normal
ME: Current Operation State : M0 with UMA
ME: Current Operation Mode : Normal
ME: Error Code : No Error
ME: Progress Phase : Clean Moff->Mx wake
ME: Power Management Event : Pseudo-global reset
ME: Progress Phase State : Unknown 0x11
PCI READ [bc] : 0x000000bc
ME: Extend Register not valid
ME seems okay on this board
WRITE [00] : CB: 0x80040007
WRITE [00] : CB: 0x000002ff
READ [08] : CB: 0x801c0007
READ [08] : CB: 0x000082ff
READ [08] : CB: 0x000b0000
READ [08] : CB: 0x0000049c
READ [08] : CB: 0x000b0000
READ [08] : CB: 0x0000049c
READ [08] : CB: 0x000b0000
READ [08] : CB: 0x0000049c
ME: Firmware Version 11.0.1180.0 (code) 11.0.1180.0 (recovery) 11.0.1180.0 (fitc)
WRITE [00] : CB: 0x80080007
WRITE [00] : CB: 0x00000203
WRITE [00] : CB: 0x00000000
READ [08] : CB: 0x800d0007
READ [08] : CB: 0x00008203
READ [08] : CB: 0x00000000
READ [08] : CB: 0x11194004
READ [08] : CB: 0x00000031
ME Capability: Full Network manageability : OFF
ME Capability: Regular Network manageability : OFF
ME Capability: Manageability : OFF
ME Capability: Small business technology : OFF
ME Capability: Level III manageability : OFF
ME Capability: IntelR Anti-Theft (AT) : OFF
ME Capability: IntelR Capability Licensing Service (CLS) : ON
ME Capability: IntelR Power Sharing Technology (MPC) : OFF
ME Capability: ICC Over Clocking : ON
ME Capability: Protected Audio Video Path (PAVP) : ON
ME Capability: IPV6 : OFF
ME Capability: KVM Remote Control (KVM) : OFF
ME Capability: Outbreak Containment Heuristic (OCH) : OFF
ME Capability: Virtual LAN (VLAN) : ON
ME Capability: TLS : OFF
ME Capability: Wireless LAN (WLAN) : OFF
Re-hiding MEI device...done, exiting
</pre>
<p>Also you could get the official 'detection' utility from intel:
<a class="reference external" href="https://www.intel.com/content/www/us/en/support/articles/000025619/software.html">https://www.intel.com/content/www/us/en/support/articles/000025619/software.html</a></p>
<p>The output above gives me confidence my laptop is not remotely exploitable as the manageability features are all disabled. The VLAN capability is a little bit
disconcerting, but to help prove to myself its at least not remotely exploitable - scan the ports associated with the AMT features: 16992-16995 and 623 and 664.</p>
<p>That is not to say I am not affected. I am. However, the one remotely exploitable CVE is not likely an issue for my machine.</p>
</div>
<div class="section" id="what-can-you-do">
<h3>What can you do?</h3>
<p>Remove Intel ME!
This is a pretty drastic step, and will require you are familiar with hardware.
Specifically, you will need to physically connect to the flash chip on your motherboard that contains the Intel ME firmware code. You then dump the code to a local machine,
use a utility to attempt a patch and then re-program the chip. If it works, you can boot back up and see most functionality was disabled.</p>
<p>Follow this great <a class="reference external" href="https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine">guide</a> to do everything possible
to remove or disbable as much of the Intel ME as possible. Also refer to the <a class="reference external" href="https://github.com/corna/me_cleaner">me_cleaner</a> site which is used to make
the actual modifications to your dumped firmware.</p>
</div>
</div>
</div><!-- /.entry-content -->
</article>
</section>
<section id="extras" class="body">
<div class="blogroll">
<h2>blogroll</h2>
<ul>
<li><a href="http://getpelican.com/">Pelican</a></li>
<li><a href="http://python.org/">Python.org</a></li>
<li><a href="http://jinja.pocoo.org/">Jinja2</a></li>
<li><a href="#">You can modify those links in your config file</a></li>
</ul>
</div><!-- /.blogroll -->
<div class="social">
<h2>social</h2>
<ul>
<li><a href="#">You can add links in your config file</a></li>
<li><a href="#">Another social link</a></li>
</ul>
</div><!-- /.social -->
</section><!-- /#extras -->
<footer id="contentinfo" class="body">
<p>Powered by <a href="http://getpelican.com/">Pelican</a>. Theme <a href="https://github.com/blueicefield/pelican-blueidea/">blueidea</a>, inspired by the default theme.</p>
</footer><!-- /#contentinfo -->
</body>
</html>