# Remote code execution on almost all Intel processors: this is again the Management Engine fault



## Deleted member 55181 (Jul 25, 2018)

Persecuted by further discoveries of gaps in the mechanism of speculative instruction execution, Intel discovered that its chips are vulnerable to attack on the other hand - the infamous Management Engine remote management subsystem. This computer-in-computer, which can have complete control over the processes occurring in modern PCs, has proved to be vulnerable to two attacks, one of which allows remote code execution.

Intel Management Engine has been controversial since its introduction to processors in 2008. The reason for this controversy was the closed nature of the subsystem, in theory allowing to hide backdoors in it and to bypass any security of operating systems. On the other hand, Management Engine and its Active Management Technology software significantly simplified the life of administrators in large organizations, allowing them to easily manage machines remotely on the network.

Even they, however, would like to know more about how the Management Engine works, and sometimes even disable the subsystem. Unfortunately, Intel never revealed it, he also did not allow it to be disabled. It did not change in this matter even the radical change in the Management Engine architecture that occurred in the Skylake processors. The Exotic Core ARC core with the ThreadX real-time system replaced the usual 32-bit x86 (Intel Quark) with the MINIX 3 system. However, this was the discovery of independent researchers from Russia, who by the way found the spectacular security holes in the Management Engine.

It was sometimes said that it was a matter of licensing agreements and the protection of intellectual property. With the help of the Management Engine, DRM policies are also enforced, the Protected Audio Video Path module is responsible for that. Intel's Hollywood partners would simply be unhappy if an ordinary user could just turn it off to allow unspeakable acts of media piracy.

Unfortunately, we pay for the satisfaction of Intel's partners with our security. Newly discovered vulnerabilities in Management Engine are even more dangerous than previously discovered, they are easier to wyexploitować.

The first of them is CVE-2018-3627 . It threatens all 6th, 7th and 8th generation Intel Core processors as well as Xeonom Greenlow and Basin Falls. It is defined as an error in the Intel Converged Security Management Engine logic, and allows local access to the attacker to run arbitrary code with administrative privileges.

The second gap is CVE-2018-3628 . It threatens all generations of Core processors, from 1 to 8, old Core 2 Duo and Centrino 2 processors with vPro technologies, and Xeonom from Greenlow, Purley and Basin Falls families. Intel has described the error as a buffer overflow in the HTTP handle in Intel Active Management Technology. This allows the attacker to remotely execute arbitrary code if it is in the same subnet. Worst of all, you do not even have to have an administrator password.
*What now?*

In fact, we are not on the basis of laconic messages from Intel to assess what can be done about it. Researchers from Positive Technologies, the same ones who discovered two vulnerabilities in Management Engine last year, announce their deeper investigation. They believe that these vulnerabilities were discovered when the code was audited by Intel after their discovery, but they were moved aside so as not to be frightened by the simultaneous release of such patches on the Management Engine firmware.

As usual, in this situation we can encourage to neutralize the Intel Management Engine once and for all using the independent ME_cleaner tool. It removes ME modules, making them toothless. At the same time, it leaves everything that is necessary to start the computer and avoid turning it off after 30 minutes.

https://translate.google.com/translate?sl=pl&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https://www.dobreprogramy.pl/Zdalne-uruchamianie-kodu-na-niemal-wszystkich-procesorach-Intela-to-znow-wina-Management-Engine,News,89437.html&edit-text=&act=url

https://translate.google.com/translate?sl=pl&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https://www.wykop.pl/link/4434585/zdalne-uruchamianie-kodu-na-niemal-wszystkich-procesorach-intela-me/&edit-text=&act=url


----------



## ralphbsz (Jul 26, 2018)

Can someone verify this from trusted parties?  I don't speak Polish, and I can't evaluate whether this is real, or whether this is a case where (justified) panic about Intel's vulnerabilities is being abused to sell a cure that is worse than the disease.


----------



## Deleted member 55181 (Jul 26, 2018)

CVE-2018-3627 and  CVE-2018-3628  -> google. Date of publicate: 07/10/2018

https://www.security-database.com/detail.php?alert=CVE-2018-3627
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00118.html


----------



## Chris_H (Jul 26, 2018)

IM(perhaps, not so)HO
*All* Intel CPUs should be scrapped, and a class action suit should be brought against them.
Honestly. If any other manufacturer had produced a faulty/dangerous product. They'd have been required to perform a recall, and fix the problem(s) gratis.
Everyone should take this seriously, and _at least_ boycott/not buy Intel products.
It's all really as simple as that.

I'm done. 

--Chris


----------



## Phishfry (Jul 26, 2018)

I try to keep my firewall a machine with as little as features possible. I switched my firewall back to a D525 Pineview Atom because of it the lack of speculative execution and ME 'features'.

I have these frills but they are behind the firewall. I can only hope that it is helping.
My build servers BMC features are so cool it scares the shit out of me.
A web server running on my motherboard when it is turned off. Trust me when I say this, Aspeed stuff is highly dangerous too.
An arm distro monitoring my system that I cannot turn off.
I now have to wait for the Arm BMC to boot before it even tries to boot my computer. Wow
And to think people say we need to get rid of rc.d to parallel boot faster. These people never owned a server board.

The industry went too far in the ways of creature comforts. Sure I like turning on my build server while sitting on the couch.
So does Johnny hacker.

Ponder this: A value CPU from 2011 is safer than anything Intel has sold in the last 7 years.


----------



## Deleted member 55181 (Jul 26, 2018)

if You use a windows behind a LAN Firewall can't help you (IP via Facebook, Facebook is "chiping". Windows resolver send request for no reason to facebook if you login on it only once...): Camera, Microphone, screen.
This is a log from windows from Virtual Machine. After boot. I do nothing just start the windows. https://pastebin.com/7F5Mb0WT There is a TOUSENDS of addres. If You block one of them tere ping to another one. And all the time IP addres arrives. For now only via IPv4, next will be IPv6. 
To the same applies Facebook, and Google, there is impossible to block it.


_Amazaon _
Ubuntu: https://pastebin.com/MmhuZaWj
Mint: https://pastebin.com/nxJh8Hws
Browsers Fingerspriting (canvas, screen detect, ... ) http://ipleak.com/full-report/
Widgets (google analitics, tracking via "like" from facebook.) https://www.mediapost.com/publicati...prevails-in-privacy-battle-over-tracking.html

Ofcource they're do not want to know everything about everyone on earth. It's just for "statistics and advertising". Yeach. Write.
Still defense is Debian, and *BSD and meaby other Open Source. But FreeBSD is supported by google so it is not known how long it will last, because is too good.
What next. Uefi BIOS? There is computer in computer too.

=================================================
Here is my prefs.js for firefox. They neurtalize most of tracking shit and send nothing. https://pastebin.com/KxagqaeR
/home/User22/.mozilla/firefox/yjx7e7r2.default/prefs.js
I recommend chameleon ads-on, and canvas blocker ads-on too.
And ofcourse block the google widget.
paste into /etc/hosts


```
0.0.0.0 www.google-analytics.com
0.0.0.0 google-analytics.com
0.0.0.0 ssl.google-analytics.com
```


----------



## cynwulf (Jul 26, 2018)

What with the, now infamous, side channel vulnerabilities and the recent "tlbleed", it may seem surprising how Intel are managing to brush this off and continue with "business as usual".

But as with MS Windows, Intel chips are simply a necessary evil for many and sadly they will probably get away with turning out crap for years to come, as with the former.  History tells us that people put up with crap.

It's why I have stuck with earlier AMD chips (which lack the PSP).


----------



## Phishfry (Jul 27, 2018)

Have you seen the ME cleaner program.
https://github.com/corna/me_cleaner
I don't know which is worse.
That too scares me. To have to do that to a newer CPU. At your own risk, off course.
.
This is where the lawsuits should start.
If you don't want to remove your faulty features we should sue.


----------



## Phishfry (Jul 27, 2018)

After further review I can say that I probably do have ME bits even on Pineview.

The Cleaner ME site mentions "Intel PAVP" and my heart sank. So much for the D525.


> ME requires full access to the system, including memory and network access (transparent to the user).



That is basically in every computer from Nehalem. Value CPU or not. There is fragments inside!
So I must assume the worse. It is also SCRAP.

Guess I need to get out my gun and manage my wall of fire. Halt, Who goes there.....


----------



## Phishfry (Jul 27, 2018)

cynwulf said:


> It's why I have stuck with earlier AMD chips (which lack the PSP)


OK Now I want to hook up my APU1 or APU2 depending on PSP on AMD.

When did it start over there?
Not looking good is it...
AMD GX-412TC, 1 GHz quad Jaguar on APU2 and AMD T40E, 1 GHz dual core on the APU1


----------



## Chris_H (Jul 27, 2018)

Phishfry said:


> After further review I can say that I probably do have ME bits even on Pineview.
> 
> The Cleaner ME site mentions "Intel PAVP" and my heart sank. So much for the D525.
> 
> ...


I did some intense research when the news about it all hit the fan. Mind you. I've been an ardent AMD man, since Cyrix production ended. Anyway. You can pretty much melt the gold off of anything past the 20th century. Yes. Anything past 1999 is sure to be corrupt(ed|able).
Have you sold your Intel stock yet?

--Chris


----------



## Crivens (Jul 27, 2018)

I joked about placing a put order on intel when I saw the last ccc congress plan - but boy... there is even more crap coming downstream than I imagined, and the stock is yet to fall out of the bottom.


----------



## cynwulf (Jul 27, 2018)

Phishfry said:


> OK Now I want to hook up my APU1 or APU2 depending on PSP on AMD.
> 
> When did it start over there?
> Not looking good is it...
> AMD GX-412TC, 1 GHz quad Jaguar on APU2 and AMD T40E, 1 GHz dual core on the APU1


Back in 2013.  PSP is, as I recall some kind of ARM core incorporated in the main die.  I think "steamroller" was the last core without it, (but please don't quote me on that one).

And of course vulnerabilities have been found only recently:

http://seclists.org/fulldisclosure/2018/Jan/12

https://nvd.nist.gov/vuln/detail/CVE-2018-8933
https://nvd.nist.gov/vuln/detail/CVE-2018-8934
https://safefirmware.com/amdflaws_whitepaper.pdf


> The AMD Secure Processor, the gatekeeper responsible for the security of AMD processors, contains critical vulnerabilities. This integral part of most of AMD’s products, including workstations and servers, is currently being shipped with multiple security vulnerabilities that could allow malicious actors (“attackers”) to permanently install malicious code inside the Secure Processor itself. These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions.


Who would have thought that these complex messes of firmware and "CPU within a CPU" would be an open door to this kind of thing...

AMD could have made a big statement in not following Intel in this madness - they chose otherwise.


----------



## Phishfry (Jul 27, 2018)

cynwulf said:


> AMD could have made a big statement in not following Intel in this madness - they chose otherwise.


I saw a user post on the AMD website asking for the models affected and nobody spoke up or had a page to send people to.
So Intel has at least aired their dirty laundry listing every CPU.
AMD made public statements that they were going to allow PSP to be disabled, but it takes a module in the BIOS to disable it.
So manufacturers are going to make you a new BIOS incorporating that module. So check for BIOS updates.
Truth is you ain't seeing this in 75% of the boards out there.
Maybe the newer Ryzen ones.
Do you think PCEngines has room on thier puny BIOS for this module. Heck we have USB/PXE/MMC/mSATA payloads.


----------



## cynwulf (Jul 27, 2018)

It's all very cynical.  When Intel revealed "meltdown", they did of course time it with the exposure of the two "spectre" variants, which affect AMD and some others as well...  as ever you have the branded bugs, websites set up for the purpose, etc.

Also I would assume that those behind the "amdflaws" whitepaper have an agenda (it's laughably obvious in fact and the "research" company obviously set up specifically to reveal the flaw had only been recently registered when they immediately went public).


----------



## Chris_H (Jul 27, 2018)

Phishfry said:


> I saw a user post on the AMD website asking for the models affected and nobody spoke up or had a page to send people to.
> So Intel has at least aired their dirty laundry listing every CPU.
> AMD made public statements that they were going to allow PSP to be disabled, but it takes a module in the BIOS to disable it.
> So manufacturers are going to make you a new BIOS incorporating that module. So check for BIOS updates.
> ...


Mind you I haven't done any experiments to test. But my understanding is that while a BIOS "patch" could thwart this. I think that after the BIOS relinquishes control to the OS. The matter becomes moot. As the kernel can effectively _undo_ the BIOS patch.
I'd be interested to see any of these "patches".
Sadly. I can't imagine too many board manufacturers to be spending additional money, and resources on BIOS patches. Has anyone seen one available?
...
Wait... just occurred to me. If you can _enable_ the "disabled" cores on the AMD CPU'. Can one effectively do the _reverse_, as in CPU-in-CPU?
But again. How _permanent_ is it?

--Chris


----------



## ralphbsz (Jul 28, 2018)

Crivens said:


> I joked about placing a put order on intel when I saw the last ccc congress plan - but boy... there is even more crap coming downstream than I imagined, and the stock is yet to fall out of the bottom.


The price did fall out of Intel today.  And AMD went up.  Here is a financial news article, which has a graph showing Intel down, AMD up: https://www.marketwatch.com/story/a...-chip-maker-power-appears-to-shift-2018-07-27

And this morning, while riding the bus, I saw an article that Spectre has been found to be attackable via network stacks: https://arstechnica.com/gadgets/201...-enables-secrets-to-be-leaked-over-a-network/
Fortunately, the rate of bits being leaked through this attack is extremely low, it would take several hours to get an SSH key leaked, assuming you knew exactly where in memory it was.

For secure computing, may I suggest that we all switch to using an IBM 1401?  It is user-friendly (no tubes, only transistors, thousands of them), and as a friend of mine has demonstrated, it can be effectively maintained, if you have a team of 20 dedicated volunteers.  No internet connection, but that's only useful for watching cat videos on youtube anyway.  The UI is a little tedious: input via punched cards, output via line printer, and storage only via tape (no disk).  But pretty secure.


----------

