On 2017-05-11 10:57 AM, Dimitri wrote:
> The 'Intel Management Engine' is something like God on your CPU.
> Unfortunately its creators were quite human. This manifests in imperfections,
> also known as bugs. CVE-2017-5689 is one of those
> (https://www.ssh.com/vulnerability/intel-amt/). Successfully exploiting a bug
> in the ME will make an attacker very happy as this could get him complete
> control over the unlucky machine. If the bug additionally is exploitable
> remotely we have heaven on earth. At least for attackers. For all others
> this smells like hell.
>
> This is probably not too surprising for Qubes people. The ME has been known
> to be a security problem before.
>
> I have no insight in the named vulnerability nor in the technicalities of the
> ME. So I'm wondering how this affects Qubes.
> - Can it be exploited from remote if the right (or wrong) network/wireless
> card is used? Yes, NICs are attached to sys-net, but does that really help in
> this case?
> - Can it be exploited locally from a VM?
> - One way to fix this particular problem is to update the firmware. (If
> you're lucky enough to get an update for your computer). Is there an other
> way? Maybe isolating the ME from all PCI devices? My guess is: No. Please
> show me that I'm wrong...
>
> Another point that makes me wonder but might be out of topic for this group:
> Intel released the vulnerability. Why? Because it has been leaked. I'm sure
> Intel did not know anything about this before. You?
>
> Thanks for sharing thoughts!
>
My understanding is that the ME intercepts packets before it gets to the
OS layer, so attaching a built-in Intel NIC to sys-net has absolutely no
effect on mitigating stuff coming in that way because the OS wouldn't
even get to see the malicious packets so you couldn't use iptables to
filter them out. For this particular exploit, if you're unable to update
the ME firmware, either you have some kind of external hardware firewall
blocking traffic to and from the ports in question, or use something
like a USB NIC that isn't tied to the ME. But that wouldn't necessarily
guard against any other undisclosed exploits that might still be lurking
in the ME.
As for how an attacker can leverage this exploit on Qubes locally, I'm
not sure. I'm sure other people who are smarter than me have figured out
some possibilities, though.
As for the rest of your questions about they 'whys,' well, your guess is
as good as anyone else's.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/of27hr%246b1%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.
