Showing results for 
Search instead for 
Do you mean 
Reply
Bit Torrent
Posts: 1,810
Registered: ‎11-28-2007
Location: CZ
Message 1 of 43 (3,849 Views)

Remote security exploit in all 2008+ Intel platforms

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

 

Affects almost all ThinkPads

__________________________________
ThinkPad (1992 - 2012): R51, X31, X220, Tablet 8.
Do you care about privacy and security ? Leave Google behind
Paper Tape
Posts: 2
Registered: ‎11-24-2015
Location: San Diego
Message 2 of 43 (3,779 Views)

Re: Remote security exploit in all 2008+ Intel platforms

I saw this as well. Actually it affects only CPU's that has Intel VPro. Has anyone tried contacting Lenovo to find out when them will have a fix. There is mitigation from Intel as well.

 

https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

Community Moderator
Posts: 1,696
Registered: ‎05-01-2010
Location: US
Message 3 of 43 (3,691 Views)

Re: Remote security exploit in all 2008+ Intel platforms

As I understand it, these features are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993, and are not found in consumer-grade CPUs -- only in enterprise solutions, and mostly in server chipsets.

None of these come enabled by default. A sysadmin must first enable the services on their local network.

Intel has a detection guide. Scroll down to the links: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

 

Lenovo is aware. I'm sure more info will be posted soon.

Watch HERE for updates.

 

 












Deutsche Community Comunidad en Español English Community Русскоязычное Сообщество Communidade Portugues

If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

I am not employed by Lenovo or Microsoft. I am a volunteer.

SpywareHammer





Bit Torrent
Posts: 1,810
Registered: ‎11-28-2007
Location: CZ
Message 4 of 43 (3,679 Views)

Re: Remote security exploit in all 2008+ Intel platforms

[ Edited ]

Bugbatter wrote:

As I understand it, these features are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993, and are not found in consumer-grade CPUs -- only in enterprise solutions, and mostly in server chipsets.


Unfortunately not, it is much more serious. It affects all machines having Intel CPUs that supports vPro technology regardless of whether you use it in "enterprise" environment or as individual end user. The AMT security hole is enabled by default for everyone.

__________________________________
ThinkPad (1992 - 2012): R51, X31, X220, Tablet 8.
Do you care about privacy and security ? Leave Google behind
Serial Port
Posts: 17
Registered: ‎01-07-2015
Location: PL
Message 5 of 43 (3,855 Views)

Re: Remote security exploit in all 2008+ Intel platforms

[ Edited ]

Any chance to expect a fix from Lenovo/Intel for this HUGE problem for older Lenovo products affected T4xx... ?

Intel AMT CVE-2017-5689

 

mjg59

theregister Red alert!

 

 

Moderator comment: Merged in. Subject edited.

Highlighted
Lenovo Staff
Posts: 8
Registered: ‎05-02-2017
Location: US
Message 6 of 43 (3,649 Views)

Re: Remote security exploit in all 2008+ Intel platforms

[ Edited ]

Thanks for reaching out! Please see the advisory we posted this morning here: https://support.lenovo.com/us/en/product_security/LEN-14963

In the future, you can check our security home page for new and updated advisories here: https://pcsupport.lenovo.com/us/en/product_security/home

Serial Port
Posts: 17
Registered: ‎01-07-2015
Location: PL
Message 7 of 43 (3,485 Views)

Re: Remote security exploit in all 2008+ Intel platforms

Lenovo Thinkpad T410-T510 is not even listed, and latest available firmware from Lenovo unfortunately it is vulnerable:

 

Intel(R) MEInfo Version: 6.2.20.1022
        Copyright(C) 2005 - 2011, Intel Corporation. All rights reserved.

        Intel(R) Manageability and Security Application code versions:

        BIOS Version:                           XXXXXXWW (X.XX )
	MEBx Version:                           6.1.0.6
	Gbe Version:                            4.16.0
	VendorID:                               8086
	PCH Version:                            400006
   ==>  FW Version:                             6.2.60.1066  <==
        UNS Version:                            6.2.60.1068
        LMS Version:                            6.2.60.1068
	MEI Driver Version:                     6.2.50.1050
	Wireless Hardware Version:              1.1.76
	Wireless Driver Version:                13.2.0.30

 

Quote from Lenovo release 6ir654ww; spelling mistake is copyright to Lenovo
- Downgrading the Management Engine firmware to an older verion cannot be allowed.

original doc is here:
https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/6ir654ww.txt
Bit Torrent
Posts: 1,810
Registered: ‎11-28-2007
Location: CZ
Message 8 of 43 (3,473 Views)

Re: Remote security exploit in all 2008+ Intel platforms

[ Edited ]

Can anybody tell whether the remote AMT security hole is disabled or not ? Because it is not enough to disable it in BIOS. I used the ACUConfig tool

 

ACUConfig /output console status

X220: Starting to retrieve machine status...
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.

Host information - X220
        UUID - ...
        Intel(R) AMT version - 7.1.20
        The system is unconfigured.
        The system TLS setup is using PKI.
        Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
        AMT state - Pre-Provision(0)

 

ACUConfig /output console unconfigure

ACUConfig 11.1.0.75
X220: Starting to unconfigure AMT...
Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
***********
Exit with code 2 - Intel(R) AMT is already unconfigured on this system.

 

__________________________________
ThinkPad (1992 - 2012): R51, X31, X220, Tablet 8.
Do you care about privacy and security ? Leave Google behind
Serial Port
Posts: 17
Registered: ‎01-07-2015
Location: PL
Message 9 of 43 (3,441 Views)

Re: Remote security exploit in all 2008+ Intel platforms

You don't have LMS running in os and sw can't communicate with IAMT, try to unprovision and delete all settings directly from BIOS.

Or you can try to use Intel Manageability Commander and Intel System Defence to check what settings you have configured for AMT and delete it from there first.

 

If you try from any other computer/device in the same LAN/subnet as IAMT target and you can see the web page asking for login you are not safe:

http://IAMT_local_ip:16992/logon.htm
https://IAMT_local_ip:16993/logon.htm
Bit Torrent
Posts: 1,810
Registered: ‎11-28-2007
Location: CZ
Message 10 of 43 (3,410 Views)

Re: Remote security exploit in all 2008+ Intel platforms


Luc_T410 wrote:

If you try from any other computer/device in the same LAN/subnet as IAMT target and you can see the web page asking for login you are not safe:

Thanks ! This is what I was looking for. Fortunately both connections has failed.

__________________________________
ThinkPad (1992 - 2012): R51, X31, X220, Tablet 8.
Do you care about privacy and security ? Leave Google behind
Top kudoed Authors
User Kudos Count
2
1
1