Post by Simon Clubley
Basically, for machines built around some Intel chipsets, a remote
attacker can use the machine's remote access capabilities to gain
unauthorised access to your hardware and control it remotely.
As this uses the chipset's built-in remote management capabilites,
it operates underneath the level of the operating system.
for details and welcome to an example of the kind of things you are going
to have to watch out for now on x86-64 VMS. :-)
BTW, issues like this are _exactly_ what I was thinking of when I raised
the problem of firmware level security vulnerabilities recently.
Microsoft: Bringing you 1980s technology to a 21st century world
Also see Charlie Demerjian's article at SemiAccurate from
several years ago, as acknowledged in The Register today.
And before there was AMT there was IPMI. This from 2013:
Today's coverage has been remarkably unclear, for anyone
who wants to understand what's really at stake without
being faced with multiple layers of obfuscation.
Some particularly unclear points:
(1) it's not just for servers: there are desktop and laptop
equivalents with e.g. Intel vPro badges. NB these aren't
consumer-class systems, but do end up outside business-class
IT sometimes. Do vPro boxes have a similar vulnerability to
today's discussion. Who knows.
Note also that your classical Proliant/x86 (and equivalent
Dell) server boxes with "Lights Out" management options may
not have the exact vulnerabilities discussed today, but
likely come with equivalent challenges of their own.
(2) it's not just a problem for Window boxes. As Simon notes,
this is (afaik) an issue with the firmware in the CPU's support
chipset, which contains its own non-x86 processor which does
things in its own little world, eg providing VNC-like access
to the main system's keyboard, video, and mouse, even when the
x86 OS isn't working. Also it allows the system's mass storage
to be redirected to something on the LAN. It's supposed to be
protected by various stages of enabling and authentication.
The protection doesn't seem to work as advertised (though
some are wondering if it works as intended by certain three
and four letter agencies).
Some have claimed it's a Windows-specific OS problem but that
isn't how I've read it. Definitive correction welcome.
Why bother hacking the OS, or e.g. finding a mostly-artificial
exploit that leaks data at (say) 24 bits per day, when rather
than going in the hard way you can use the "secret" back way
in and get untraceable total control at speeds the IT
department are used to.
On a related topic, anyone hoping that remoteDMA etc is the
answer to the world's need for low latency high bandwidth
comms might also like to dig a little and maybe learn a lot.