[nSLUG] BIOS updating

D G Teed donald.teed at gmail.com
Wed Jun 14 19:10:15 ADT 2017


The BIOS can be vulnerable, but you are not exposed if it is enabled but
not configured.

Think of it this way: the thing is accessible if your system is off, or
even if the system's firewall blocks it.  Therefore it has to be
configured so that some IP address is active outside of the
OS operation.  Something in the Intel service run on the system,
which was a Windows service in all cases I saw, leaves
that residue networking behind in the Intel ME hardware.

Eventually one should get their BIOs updated from the vendors
to address this, but in the meantime no one should operate
systems with the Intel ME Service on Windows.


On Wed, Jun 14, 2017 at 6:40 PM, Joel Maxuel <j.maxuel at gmail.com> wrote:

> Well then...
>
> INTEL-SA-00075-Discovery-Tool -- Release 0.8
> Copyright (C) 2003-2012, 2017 Intel Corporation.  All rights reserved
>
>
> ------------------Firmware Information--------------------
>
> Intel(R) AMT: ENABLED
> Flash:    8.1.0
> Netstack:    8.1.0
> AMTApps:    8.1.0
> AMT:    8.1.0
> Sku:    24584
> VendorID:    8086
> Build Number:    1265
> Recovery Version:    8.1.0
> Recovery Build Num:    1265
> Legacy Mode:    False
>
> -----------------SKU Information-----------------
>          Corporate SKU
>          Intel(R) Anti-Theft Technology (Intel(R) AT)
>          Intel(R) Active Management Technology
> -------------------------------------------------
>
> PROVISIONING_STATE = PRE
>
> ------------------Vulnerability Status--------------------
> Based on the version of the Intel(R) MEI, the System is Vulnerable.
> If Vulnerable, contact your OEM for support and remediation of this system.
> For more information, refer to CVE-2017-5689 at:
> https://nvd.nist.gov/vuln/detail/CVE-2017-5689 or the Intel security
> advisory
> Intel-SA-00075 at:
> https://security-center.intel.com/advisory.aspx?intelid=
> INTEL-SA-00075&languageid=en-fr
> ----------------------------------------------------------
>
>
>
> --
> Cheers,
> Joel Maxuel
>
> "One should strive to achieve, not sit in bitter regret."
>  - Ronan Harris / Mark Jackson
>
> On Wed, Jun 14, 2017 at 4:10 PM, D G Teed <donald.teed at gmail.com> wrote:
>
>>
>> I was puzzled by the whole thing when I read up on it a couple of weeks
>> ago.
>>
>> It is enabled on the BIOS of many systems, even if you don't have a vPro
>> sticker.
>> However, it won't be listening unless the IP had been configured on the
>> system
>> to offer the management services.  Once it is configured, that IP is alive
>> even when the system is powered off.  Some newer systems have removed the
>> option from the BIOs to disable IME.  It is like lights out or baseboard
>> management
>> built-in to the main ethernet interface on the mainboard.
>>
>> Big risk for anyone who has configured it, but just something
>> to be aware of for the rest of us.
>>
>>
>>
>> On Wed, Jun 14, 2017 at 11:00 AM, George N. White III <gnwiii at gmail.com>
>> wrote:
>>
>>> On 14 June 2017 at 08:16, Joel Maxuel <j.maxuel at gmail.com> wrote:
>>>
>>>> Thanks Dave.  I missed the memo on the active IME exploit.
>>>>
>>>> May not be much help to me anyway, based on the summary of changes for
>>>> my latest MoBo update:
>>>> http://support.lenovo.com/ca/en/downloads/ds029265
>>>>
>>>> I can check to see how bad it is, and what steps I can take tonight:
>>>> https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-
>>>> Mitigation-Tools
>>>>
>>>> Thank you again.
>>>>
>>>
>>> Some US Government employees were told to get rid of their Lenovo
>>> laptops last fall.  Then in
>>> May Lenovo released Intel Management Engine Firmware 9.5 for my SSC
>>> issued
>>> laptop -- makes me wonder if US Gov't knew about IME exploits before
>>> they were made public,
>>> and if there are active exploits that still aren't public.
>>>
>>> Some articles suggest IME isn't an issue for linux users unless you use
>>> a high-end server
>>> farm that uses Intel's management tools, (possibly Google apps). That
>>> doesn't mean high-end
>>> malware won't leverage IME, but probably only after gaining full control
>>> of the system.   For
>>> home linux systems there may not be much to be gained from IME based
>>> exploits, but it
>>> sounds like something TLA agencies would use, so will probably escape to
>>> malware
>>> sooner or later.
>>>
>>> --
>>> George N. White III <aa056 at chebucto.ns.ca>
>>> Head of St. Margarets Bay, Nova Scotia
>>>
>>> _______________________________________________
>>> nSLUG mailing list
>>> nSLUG at nslug.ns.ca
>>> http://nslug.ns.ca/mailman/listinfo/nslug
>>>
>>>
>>
>> _______________________________________________
>> nSLUG mailing list
>> nSLUG at nslug.ns.ca
>> http://nslug.ns.ca/mailman/listinfo/nslug
>>
>>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170614/35368bbe/attachment.html>


More information about the nSLUG mailing list