Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened. Posted on 05/01/2017 10:03:01 PM PDT by Ernest_at_the_Beach
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened.
Update May 1, 2017 # 3:35pm: Intel just confirmed it, but not to SemiAccurate. You can read their advisory here.
The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.
First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.
Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous.
(Excerpt) Read more at semiaccurate.com ...
Nice, I sometimes wonder if these “backdoors” come with an upfront payment to the chip designers from Uncle Snoopy...
Will Linux distros push firmware driver fixes?
That includes all the processors in the cloud.
Only systems with Vpro and must be activated.
Very serious and should have been found years ago.
Much of Intel’s quality validation people have been outsourced to South America.
This explains the quality problems Intel has been having in the last 6 years.
I personally know one of the Validation Managers who was told to fire all her people and setup Validation in Costa Rica.
Correct, very likely all Xeon processors
Very damn curious.
From the advisory: “This vulnerability does not exist on Intel-based consumer PCs.”
Who is supposed to be validating the work of the validators? I’ve seen that corporate mentality that takes over and cuts off the nose to spite the face. Upsetting when its about life and death, which this sounds like it could be?
remotely exploitable security hole in the ME (Management Engine) not CPU firmware.
AMD will rise again.
Ping.
Will Linux distros push firmware driver fixes?
I was wondering the same thing as I’m using linux mint 17.3 on an Acer Home theater pc. It’s developed for windows 8.1 but I tossed windows out the door a few years ago and never went back.
I checked my version of CPU and it’s an entry level cpu with the AES, virtualization etc, deactivated so I really don’t know if this machine is vulnerable or not. Just because it’s deactivated in my opinion, doesn’t mean it can’t be turned on somewhere to create the vulnerability. It exists as part of the processor.
I went to the Intel website for my processor to learn more about the processor and to view the files available for linux machines. There’s nothing there yet for downloads to address this particular vulnerability. There’s no mention of it that I found on the intel website either.
And then, I despise the bios setup on this pc as there aren’t much choices for customization. That’s all hidden and I don’t know how to access it. Yes, I’m using bios instead of UEFI because some versions of linux don’t provide a choice for that during the install and it uses a standardized install for newbies.
In any event, I sure hope more information comes out on this.
Article says that may not be true.
And computers out in branch offices so that the HQ can troubleshoot them from a central location!
“Nice, I sometimes wonder if these “backdoors” come with an upfront payment to the chip designers from Uncle Snoopy...”
At places like the wikileaks reddit its believed this is the main motive for the Management Engine technology.
two words ... Edward Snoden?
I was thinking that SMT is hyperthreading.
Do you have that?
My goto Desktop is a ~8 yr old Dell that my MIL used until she couldn’t, upgraded eith a hundreds of GPU video card. Now loaded with Linux Mint and plenty of Virtusl Boxes, it has two proprietary drivers. Some Intel rhing and something for the VidCard.
If there is a hidden CPU, it needs to be terminated with predujuice.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.