Yet another nightmare for Intel users. This time it’s specific to the corporate world. Yes, you heard it right, this time hackers just need to find an IT employee carry his / her office laptop, distract that person for a minute and the attack can be launched in less than a minute. Is it really that simple? Game On !!
Intel is still trying to cope up with its last publicly announced security vulnerabilities Meltdown and Spectre and here we are yet again with another blunder. In July 2017 Harry Sintonen, one of F-Secure’s Senior Security Consultants, discovered unsafe and misleading default behaviour within Intel’s Active Management Technology (AMT).
AMT is Intel’s proprietary solution for remote access monitoring and maintenance of corporate-grade personal computers, allowing the corporate technical support team or managed service providers to remotely support IT employees via screen share functionality. AMT security issues exist even the past, however this one is more surprising due to its potential impact.
The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” Sintonen says.
A local attacker gains physical access to an corporate machine (desktop / laptop)
Reboot or power-on the machine and then press Ctrl + P
This displays the Intel Management Engine BIOS Extension (MEBx) login screen
The default password for MEBx is “admin” which maybe common on most corporate machines. Other passwords that is usually set by IT administrators include: “admin@123”, “password”, “<company name>@123
Once the attacker logins successfully, s/he can change the default password and enable remote access, and set AMT’s user opt-in to “NONE”
The machine is now compromised!!
Once the attacker can gain access to the same network segment as the victim (with a few additional steps to enable wireless access), the system will be accessible remotely. A video grab from F-Secure’s security consultant is here:
F-Secure along with CERT has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.
It’s now the onus of the corporate employees to safeguard their respective corporate laptops while they are in any public places such as airport, bus terminals, hotels, cafe and more.
IT administrators must set a strong password for AMT or even disable AMT completely if that functionality is not required, before handing over the systems to the employees
IT administrators must reset the AMT passwords with strong unique passwords for all its current systems with immediate effect
Most importantly: if the AMT password has been set to an unknown value on a user’s laptop, consider the device suspect and initiate incident response. First rule of cyber security? Never take unnecessary risks.
Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT.
Kernel memory leak in Intel processor due to a fundamental design flaw has forced major operating system (OS) vendors such as Windows, Linux and macOS to redesign their kernel software. This redesign will result a performance hit on Intel products and is estimated to slowdown from 5% to 30%, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit, The Register reports.
To perform any write, execute or network related tasks, any program needs to temporarily handover the processor control to the kernel to complete the task. Such requests between user to kernel and vice versa requires the kernel to be present in the virtual memory address space of all processes. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. Post completion of the requested task, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight but present in the process’s page tables.
Easily exploitable by malware and hackers to exploit other security bugs
Programs and logged-in users can gain access to kernel’s memory to read all secrets including, passwords, cached disk files, login key and so on
A shared public cloud server, may even sniff sensitive kernel-protected data
Possible the bug could be abused to defeat KASLR: kernel address space layout randomization
A malicious program can block executing an instruction and reads the kernel memory before switching back to the user mode. In turn allow ring-3-level user code to read ring-0-level kernel data
Impact on cloud:
The bug will impact big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google Compute Engine, said a software developer blogging as Python Sweetness
Another version of the same story:
There were rumors of a severe hypervisor bug – possibly in Xen – doing the rounds at the end of 2017. It may be that this hardware flaw is that rumored bug: that hypervisors can be attacked via this kernel memory access cockup, and thus need to be patched, forcing a mass restart of guest virtual machines.
Affected Intel product:
The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI. These KPTI patches move the kernel into a completely separate address space, so it’s not just invisible to a running process, it’s not even there at all. Really, this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way.
PostgreSQL has shared fix for intel hardware bug which will lead to performance regressions
Microsoft’s Azure cloud to undergo maintenance on January 10
Amazon has warned customers via email to expect a major security update to land on Friday this week, without going into details
Post updates from respective Vendors, your Intel-powered machine will run slower as a result
28th December 2017, developer SpecterDev released a fully-functional much-awaited kernel exploit for PlayStation 4 (firmware 4.05), almost two months after Team Fail0verflow revealed the technical details of it.
Intel Management Engine (ME), a microcontroller that handles much of the communication between the processor and external devices, hit the headlines in May 2017 due to security concerns regarding the Active Management Technology (AMT) that runs on top of the engine. More probing revealed AMT had a simple authentication error: an attacker could login with an empty password field.
Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake+”.
The company’s researchers Mark Ermolov and Maxim Goryachy discovered is that when Intel switched Management Engine to a modified Minix operating system, it introduced a vulnerability in an unspecified subsystem.
Because ME runs independently of the operating system, a victim’s got no way to know they were compromised, and infection is “resistant” to an OS re-install and BIOS update, Ermolov and Goryachy say.