[nSLUG] BIOS updating

D G Teed donald.teed at gmail.com
Thu Jun 15 08:49:58 ADT 2017


On Thu, Jun 15, 2017 at 8:04 AM, George N. White III <gnwiii at gmail.com>
wrote:

> On 14 June 2017 at 21:03, D G Teed <donald.teed at gmail.com> wrote:
>
>>
>> There are 3 different things that clobber/enable the problem.
>>
>> One is a BIOS update.  Have to wait for vendor for a patch based on
>> Intel's.
>>
>> One is disabling the feature in the BIOS.  It is usually enabled by
>> default in
>> the BIOS/Intel AMT.  This is a simple Yes/ON.
>>
>> A third is provisioning.  This is different than enabling the BIOS.
>> Provisioning means installing the service (windows as far as I can tell)
>> which configures the lights out management, has been set up.  You would
>> know if you had set this up!
>>
>>
>  "Intel AMT supports remote applications running on Microsoft Windows* or
> Linux*." -- see: https://software.intel.com/en-us/articles/intel-active-
> management-technology-start-here-guide-intel-amt-9
> https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt is a
> nice summary
>
> I gather that provisioning with Intel AMT installs hooks that are visible
> to the OS, but provisoning with potential malicious software would not be
> easy to detect.
>


I feel you are confusing this issue with the way you use
the meaning of provisioning.

Normally provisioning, is a fancy term meaning "you set it up".
In your description "you set it up" becomes "malware set it up".
So you are talking about a priori malware that is required to
be present to take advantage of the Intel AMT flaw.  I don't
think most Linux users need to be concerned with that, unless
they are already vulnerable to Samba, sudo and other nasty
root exploits that were announced in the past few weeks, in which
case the system is rooted and Intel AMT is merely icing on
the cake.

If you actively update your Linux systems, and you never provisioned
Intel AMT, there is no exposure.

People are trying to understand what is happening.  Complicating it with
more what ifs while at the same time explaining the Intel AMT risk
doesn't clarify the specific topic at hand.

I hope people would realize that if they don't patch their BIOS, and they
don't disable the Intel ME in the BIOS, they are still safe if the software
to configure it has not been set up.  Of course there is nothing wrong
with taking the extra steps to disable it in the BIOS, but it isn't
a crucial thing to get done immediately, like say heartbleed patching.
If ports 16992 to 16995 are not exposed to the Internet, you're already
double covered (not set up, blocked by router firewall).  While mentioning
firewall, just to clarify: not the OS firewall like iptables, as AMT
operates
on the hardware level prior to the OS or kernel seeing the traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170615/30e5ef97/attachment.html>


More information about the nSLUG mailing list