Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability are subject to a hole allowing an unprivileged attacker to gain control of the management features for these products. The issue was made public today via INTEL-SA-00075.
For those with AMT enabled on their systems, it can affect supported processors going back to 2008 when AMT6 debuted -- thus the vulnerability covers from Nehalem to Kabylake CPUs.
i'm too retarded to know if this effects me or not i've been using my i3-6100 skylake cpu for around a year completely out of the box no changes at all does this affect me?
John Long
Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.
Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.
fuck offfff you're just lazy
Aiden Robinson
>The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.
In an effort to make Intel® AMT easier to use, to support cross platform and over the Internet usages, we are building a new version of the MDTK that is fully written in JavaScript. There are many advantages in doing this, but above all, it just makes a lot of sense. With HTML5 being very capable, it's a lot easier for administrators to use web applications that interact with Intel AMT within a browser, making the local installation of tools a thing of the past in some cases.
Below, we have a new version of Manageability Commander that is fully written in JavaScript and uses a new WSMAN stack, redirection stack along with remote desktop and remote terminal libraries. You can use this new version as-is or can download the source code and samples to build your own web based Intel AMT tools. Also look at the overview presentation and screen shots.
Alexander Thompson
Finally.
I've always known that the shitty programs in the processor were buggy and vulnerable, but now we have factual confirmation.
>the vulnerability covers from Nehalem to Kabylake CPUs.
>Kaby Lake Xeons >existing
Christian Reyes
That's a lot of reading, user. What's the short answer?
Jace Howard
>read it for me
Christopher Cooper
>tfw rolling a Q9550
Luis Brooks
Haha I knew sticking on my old Duos and Celeron would pay off!
Luke Brooks
It isn't the only way to check it, if you bother to read the PDF.
Nathan Evans
>look up my i7-4770 on ark.intel >vPro: Yes >fuck >run scsdiscovery >False I don't know what to believe anymore.
Alexander Cox
Here a disturbing question: Does AMD CPUs have similar problems that we simply don't know about?
Jason Collins
The CPU supports vPro, but motherboard isn't. You'll need a special business chipset which enables IPMI-like capabilities. I think Thinkpads support vPro, by the way.
Caleb Bell
The Register calls this a RED ALERT!
> These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to this year's Kaby Lake Core parts. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the operating system, its applications and any antivirus.
From what I gather you need both a motherboard and a CPU with vPro support for this to be exploited.
The funny thing is that you apparently need to get the _motherboard_ vendor to give you a firmware patch. With all the motherboards that has support for this produced the last decade.. there's going to be a lot of unpatched motherboards out there.
I mean.. anyone really expect firmware patches for 4-5 year old motherboards?
Jason Nelson
>backdoor feature can be used as a backdoor
And this is a shocker why exactly?
Angel Adams
Article literally says
>This vulnerability does not exist on Intel-based consumer PCs.
Gabriel Thomas
Can't the feature just be disabled in the processor?
William Collins
No because it is a gov backdoor.
Robert Morales
It's most likely that any motherboard vendor that is not supporting a board anymore probably doesn't have vPro enabled on that board.
Jose Hill
Definitely a serious issue for corporations but it seems that most of the fear mongering about it around these parts ended up just that, fear mongering with nothing for us to worry about because we don't buy motherboards with the support.
Logan Mitchell
What exactly could someone do with the vulnerability?
What exactly would it give to a virus that it can't do already?
Ryan Carter
Complete control of everything on your system remotely while hidden from every piece of software running on your system.
Jayden Phillips
Direct memory access from the firmware. No software can protect you.
Joseph Bennett
With virus you have to actually infect computer before it can work. This is a remote vulnerability. This is something that lets, among other things, to plant a virus into the computer.
Wyatt Scott
>What exactly could someone do with the vulnerability? Anything, seriously
Isaiah Peterson
>An extreme vulnerability that remained undetected for almost 10 years Lmao Intel
Austin Campbell
Hmmm it's almost like it was a deliberately installed backdoor.
Matthew Johnson
But a firmware update can.
Ian Mitchell
Yeah, I don't know how that will be distributed and delivered to millions of critical servers though...
Gavin Price
Steamroller, Excavator, and Ryzen all have a similar thing called the Platform Security Processor. AMD has considered open sourcing it for use with coreboot though. Which will probably allow disabling it on at least Ryzen.
Camden Perry
>undetected It's been known for years, Intel refused to patch it. The fact they're coming out now in a panic means malware finally exploited it.
Dylan Nelson
I am fucked, I have an X220 and my desktop PC uses an i5 4460.
It's sad. SAD.
Carson Parker
fudzilla.com/news/processors/43537-latest-intel-security-exploit-affects-nehalem-through-kaby-lake Intel security is compromised big time Vulnerability level similar to Heartbleed (OpenSSL) in 2014 Intel has just patched a security vulnerability that affects all of its desktop and notebook platforms from Nehalem in 2008 to Kaby Lake in 2017, with a higher degree of vulnerability for users on Intel vPro systems. The vulnerability, which our friend Charlie at SemiAccurate has been trying to get the company to fix for nearly five years now, affects every Intel platform with AMT, ISM and SBT. The list includes every desktop and notebook platform Intel has released since first-generation Core series Nehalem processors in 2008 through the 7th-gen Kaby Lake processors currently on the market. In Intel's May 1st security advisory, any machine can allow an attacker to “gain control of the manageability features provided by these products” either locally or remotely. On the local end, Intel says “an unprivileged network attacker could gain system privileges to provisioned manageability Even if a machine does have AMT, ISM or SBT provisioned, it is still classified as being locally vulnerable to attack but not remotely vulnerable.
Is this still the ring0 vulnerability that was detected in 2008-2009-ish?
Brayden Mitchell
>The fact they're coming out now in a panic means malware finally exploited it.
or you know, they have a fuckton of patched ICs to sell maybe you can even get 10% off if you bring your old cpu
>not riding the intc since $19 as if you don't even want to get rich
Aaron Jones
8350 isnt 10 years old and still works well. Also ppc still isnt botnet. And in the worst case scenario we can always use cellbe
Zachary Ramirez
I bought all intel cpus for my family and me. All of them were made during the last 9 years. What do I have to do to be safe? As simple as possible please.
Gavin Scott
>What do I have to do to be safe? As simple as possible please. you have to research. how did you not know about this anyway?
Liam Hall
>in worst case scanario we can use a arch that isn't produced at all, that's also just an in-order PPC core with some really slow vector units hamfistedly attached. I'd rather be vulnerable than use Cell.
Benjamin Richardson
At least Intel has good taste in girls
Ayden Russell
For this to be exploited you need both CPU and motherboard that has this functionality. If you bought consumer motherboards and computers then you should not worry. If you have thinkpad or business dell series then you are in trouble, and you must wait for patches from those manufacturers.
Connor Perry
it was a joke. But none the less it can still be used
Parker Howard
ARM based home computers will be our salvation.
Jackson Jackson
>ARM based home computers will be our salvation. fucking hell do you even know what automated remote management is?
Julian Turner
Unlikely. They're super locked down and have security processing too...
Our best hope is nVidia trying on x86 again. Intel will probably say no again (although, right now, they might just say yes to prevent the lawsuit) but nVidia could possibly win in a suit now due to Intel's shit security potentially harming US National Security.
David Thompson
>Our best hope is nVidia trying on x86 again. l i s c e n c i n g
Christian Cooper
They will be our salvation in a way that we will have a lot of different producers to choose from. It will be easier to get one without botnet.
Tyler Cook
no it wont, you have no idea what youre talking about. its a standard feature now days, and having multiple competing architechtures is always a nightmare for devfelopement. were better off having the x86 licence be free and having competing companies producing the same chip. of course we can all see why that wont happen.
Kayden Ramirez
I'm I think it might actually happen - this itself might be the catalyst. USA needs x86 for many aspects in government and beyond. US Gov needs at least 2 suppliers under normal circumstances US Gov *MUST* buy US designed CPUs x86 Licensing has been a thorn in USGOV's side A massive security issue might suspend sales from single vendor until their products can be revalidated.
It's high time for nVidia to try on x86 again - the courts might rule in their favor in the current climate, which would set a massive precedent, potentially underlying a massive change in x86 licensing.
Fuck ARM, if the cards are played right here, we could free x86 from its current chains...
Alexander Thompson
>claim security bulletin >the whole world installs malware v2
Has anyone actually seen the exploit? Where is that ball-licker Kerbs when you need him
Logan Howard
>A massive security issue might suspend sales from single vendor until their products can be revalidated. no it wont, the us gov wants RM to stay in every cpu for obvious reasons. theres no laws being broken so theres no incentive for the courts to rule in nvidias favour if they ever do decide to waste money on swift failure.
Nicholas Phillips
Parts of USGOV but they're not all the same nor are they allied to each other, except when they need to present a unified front. x86 is a thorn in all depts sides but can't be ditched.
Brody Scott
Stallman is an idiot and a faggot queer communist. Terry was right
Carson Ward
can they take their shirts off?
Matthew King
>Security software written in Javascript and HTML5
Jordan Baker
>mfw there will be recall
Brody Bell
she aged the worst
Brody Johnson
Stallman is always right.
Aiden Jones
>having multiple competing architechtures is always a nightmare for devfelopement. Hey, think of it this way, more processors to support means more needed workforce meaning more jobs and MAYBE cheaper hardware.
Nathaniel Scott
>SNSD What the fuck I love Intel now
Matthew Robinson
Nvidia is going to have a fun time getting the license for AMD_64
Luis Edwards
mjg59.dreamwidth.org/48429.html >How do I know if I have it enabled? >Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:
>1) A supported CPU >2) A supported chipset >3) Supported network hardware >4) The ME firmware to contain the AMT firmware
>Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.
Ayden Peterson
FFFFFFUUCKING LENOVO THINKPADS
Jeremiah Scott
Anyone know where to find a list of '08-'09 chipsets that don't have ME?
