Thoughts on the latest Intel ME vulnerabilities: based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal.
-
Show this thread
-
There's two classes of vulnerability disclosed. One is in the Intel AMT component, which runs on ME and is restricted to "enterprise" hardware (which includes higher end laptops), the other is arbitrary ME execution and applies to the entire product range.
3 replies 11 retweets 21 likesShow this thread -
The AMT vulnerabilities "only" permit code execution in the context of AMT. That means at least all the capabilities of AMT, but potentially more besides.
1 reply 2 retweets 13 likesShow this thread -
One of AMT's features is allowing a user to VNC into a system without the OS being involved. Doing this draws a warning border around the screen to alert the user. Unclear whether that's hardware or not - if not, this could allow silent observation of affected systems.
3 replies 6 retweets 27 likesShow this thread -
AMT also allows secure boot to be disabled for one-shot boots, so AMT compromise is probably also a complete secure boot compromise
1 reply 6 retweets 17 likesShow this thread -
Worth noting - this gives *remote* users the opportunity to execute code as AMT if they authenticate. https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html … allows you to authenticate with an empty authentication token. If you haven't patched that already, do so.
1 reply 22 retweets 47 likesShow this thread -
The ME compromise presumably gives you everything the AMT compromise gives you, plus more. If you compromise the ME kernel you compromise everything on the ME. That includes AMT, but it also includes PTT.
2 replies 4 retweets 12 likesShow this thread -
PTT is Intel's "Run a TPM in software on the ME" feature. If you're using PTT and someone compromises your ME, the TPM is no longer trustworthy. That probably means your Bitlocker keys are compromised, but it also means all your remote attestation credentials are toast.
2 replies 6 retweets 25 likesShow this thread -
Worst case there is that an attacker is able to obtain the EK credentials from PTT. Unless there's a way to generate a new EK (and a new EK certificate), you can no longer ever trust remote attestation from that system.
2 replies 2 retweets 11 likesShow this thread
This seems like a feature not a bug. It means you can bypass DRM based on remote attestation.
-
-
Replying to @RichFelker
I've never seen DRM-oriented remote attestation, but I've deployed it for various real security setups
0 replies 1 retweet 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.