Remote security exploit in all 2008+ Intel platforms

[Puppy]

https://semiaccurate.com/2017/05/01/rem ... platforms/

Affects allmost all ThinkPads

[Puppy]

Lenovo response https://support.lenovo.com/cz/cs/produc ... /len-14963

[dr_st]

Lenovo is urgently working on qualifying and applying the fixes provided by Intel on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.

Options for mitigation until the firmware update is available are:

The network vulnerability can be mitigated by unprovisioning the Intel manageability SKU (AMT and ISM) or disabling the Intel manageability technology within the Intel® MEBx.
The local vulnerability can be mitigated by disabling or uninstalling Local Manageability Service (LMS) on Intel manageability SKUs (AMT, ISM, and SBT).

Note that capabilities and features provided by AMT, ISM, and SBT will be made unavailable when these mitigations are implemented.

In other words - if you don't actually use anything AMT/MEBx/LMS - you are OK? It's only that if you actually use ME features, you are vulnerable?

[Puppy]

In other words - if you don't actually use anything AMT/MEBx/LMS - you are OK? It's only that if you actually use ME features, you are vulnerable?

No The thing is enabled by default in all machines with vPro support in CPU. It is also unknown whether disabling in BIOS actually turns it off. Some reports says it just resets it to default state with 'admin' password. Intel's solution requires the software, including (locally) vulnerable LMS windows service, installed in order to check whether it is active or not

I spent several hours with the issue. Enabled it in BIOS and entered the setup via Ctrl+P but I haven't found any setting how to turn it off at all for sure. There are options for LAN IPv4, LAN IPv6 and Wi-Fi. You can turn it off for LAN IPv6 and Wi-Fi but the LAN IPv4 is still enabled, you can select DHCP or fixed IP only. Then I disabled it in BIOS again. I checked ports 16992 and 16993 according this from another machine on my home network.

[RealBlackStuff]

Here's how to get rid of Intel AMT: https://mattermedia.com/blog/disabling-intel-amt/
HTH.

[dr_st]

The thing is enabled by default in all machines with vPro support in CPU. It is also unknown whether disabling in BIOS actually turns it off. Some reports says it just resets it to default state with 'admin' password.

You cannot disable the ME FW component that runs in the BIOS. It runs even when the BIOS setting is disabled. However, my understanding, is that in this state, known as 'unprovisioned', it does not do much. In particular it does not even load the ME networking driver, and this is why the remote vulnerability should be mitigated in this situation.

Intel's solution requires the software, including (locally) vulnerable LMS windows service, installed in order to check whether it is active or not

Yeah, I'm "totally" going to install their software and enable AMT just to check if AMT is disabled.

I checked ports 16992 and 16993 according this from another machine on my home network.

And did it respond to these ports in any way? On my system, with AMT disabled in the BIOS, it shows nothing running on these (and other AMT ports). The LMS service is disabled.

Here's how to get rid of Intel AMT: https://mattermedia.com/blog/disabling-intel-amt/

That assume you have AMT running to begin with. I don't, and I don't wish to install it either. What is important to understand is that ME FW is not AMT. AMT is a full-stack solution, involving the firmware, and other software components. It requires certain configuration as well.

[Puppy]

And did it respond to these ports in any way?

No.

I also run ACUConfig /output console status despite of I don't have the AMT software and windows services installed and got:

Code: Select all

ACUConfig 11.1.0.75
X220: Starting to retrieve machine status...
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

Host information - X220
        UUID ...
        Intel(R) AMT version - 7.1.20
        The system is unconfigured.
        The system TLS setup is using PKI.
        Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
        AMT state - Pre-Provision(0)
***********
Exit with code 5 - Call to function failed with return code

But it is not clear whether the reported AMT state Pre-Provision(0) is correct when the LMS service is not running.

[dr_st]

You're probably fine.

[RealBlackStuff]

And another bum-wiper, this time for Intel's ME: https://github.com/corna/me_cleaner

[Puppy]

Lenovo has released ME firmware updates for most of machines, including .20 and .10 series ! https://support.lenovo.com/cz/cs/produc ... /len-14963

[prophetic]

Lenovo has released ME firmware updates for most of machines, including .20 and .10 series ! https://support.lenovo.com/cz/cs/produc ... /len-14963

Will installing libreboot for my T400 fix the problem? Or is that unable to fix ME?

[shawross]

The T400 is not listed so you can assume it is not affected by the " Remote security exploit ".

Make sure AMT is disabled in your BIOS regardless and any software to AMT is removed.

[Puppy]

The T400 is not listed so you can assume it is not affected by the " Remote security exploit ".

It is rather too old to be verified for this bug.

[prophetic]

The T400 is not listed so you can assume it is not affected by the " Remote security exploit ".

Make sure AMT is disabled in your BIOS regardless and any software to AMT is removed.

True, the article linked in the OP mentions Nehalem and above. Since I'm Penryn, hopefully I'm ok. But it's more likely that Lenovo doesn't expect people to be using xx00 series ThinkPads anymore.

[TonyJZX]

Nice job on Lenovo for geting this out.,, they go above and beyond supporting 1st gen up.

It would be an act of god to support T400s.

My question would be does it affect units with whitelists?

I assume it writes to the portion of nvram rom etc that afffects ME so I hope it doesnt make me pull out wlan cards.

[TPFanatic]

I understood that the exploit is for certain versions of Intel ME. T410 and T420 use different versions. Montevina (T400,T500) uses an older version that I presume doesn't have the exploit.

[Puppy]

Eureka! The Intel Management Engine can be finally disabled, thanks to the NSA
https://www.notebookcheck.net/Eureka-Th ... 922.0.html

[RealBlackStuff]

The ME_Cleaner is already being updated: https://github.com/corna/me_cleaner/issues/53
Nicola Corna already suspected that bit, which has now been confirmed.