Intel CPU On-chip Management Engine Runs on MINIX

[lexluthermiester]

This article should be of interest; https://www.eff.org/deeplinks/2017/...security-hazard-and-users-need-way-disable-it

Having been following this problem since it was reported, the details are as follows;
If you have a system using Intel's AMT, to be vulnerable, it must be both enabled AND provisioned. Additionally, the source article seems to have missed the statement Intel made about the miniCPU in question not being on the CPU die, but rather elsewhere in the chipset. This is only a problem if enabled. If disabled, it has no access to the system.

 

[Static~Charge]

Last batch of dells I had run windows updates (those ones from Ms) restarted and literally said "updating firmware do not power off"

I mean I guess it could be doing something else and ms could just be full of it?

What model Dells? I've never seen that with the OptiPlex 790's and 7010's that we still use at work. I downloaded the BIOS updates directly from Dell and applied them myself. There was no other source for those updates, at least not from this past summer. If that has changed now, then I'm glad to see that Microsoft is taking active measures to plug the security hole.

I also guess these surface firmware updates pushed through windows update are a lie.

https://www.windowscentral.com/microsoft-pushes-fresh-firmware-updates-surface-book-surface-pro-4

No, you're just conveniently overlooking the fact that Microsoft is the system vendor for Surface laptops. If they choose to push the firmware updates for their hardware via Windows Update, that's their business.

 

[cdawall]

What model Dells? I've never seen that with the OptiPlex 790's and 7010's that we still use at work. I downloaded the BIOS updates directly from Dell and applied them myself. There was no other source for those updates, at least not from this past summer. If that has changed now, then I'm glad to see that Microsoft is taking active measures to plug the security hole.


No, you're just conveniently overlooking the fact that Microsoft is the system vendor for Surface laptops. If they choose to push the firmware updates for their hardware via Windows Update, that's their business.

That is the easiest item to site this happening with. I don't know what more you want, I linked the implementation of UEFI updates through Microsoft, linked them being used in practice and yet you still aren't happy. If you don't like my answer call Dell and ask? I mean holy hell you can lead a horse to water.

 

[Static~Charge]

That is the easiest item to site this happening with. I don't know what more you want, I linked the implementation of UEFI updates through Microsoft, linked them being used in practice and yet you still aren't happy. If you don't like my answer call Dell and ask? I mean holy hell you can lead a horse to water.

This is a case of "the horse wants to see the water, not be told that 'it's just over the next rise'." You say that you've seen it. I can't find anyone else who has. I Googled " "windows update" amt firmware " and got zero confirmations. On the contrary, I saw several posts that said it wasn't available on Windows Update. Pardon my skepticism, but I've heard far too many promises of what might be possible versus what actually is happening....

 

[Mirai2055]

"They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell."

It is not under a GPL license and I doubt they would have used it if it did have a GPL.

http://www.cs.vu.nl/~ast/intel/

 

[Mirai2055]

This article should be of interest; https://www.eff.org/deeplinks/2017/...security-hazard-and-users-need-way-disable-it

Having been following this problem since it was reported, the details are as follows;
If you have a system using Intel's AMT, to be vulnerable, it must be both enabled AND provisioned. Additionally, the source article seems to have missed the statement Intel made about the miniCPU in question not being on the CPU die, but rather elsewhere in the chipset. This is only a problem if enabled. If disabled, it has no access to the system.

This is correct. I am on the SCS team at Intel and I work directly with AMT technologies daily. There was a security hole that has since been patched, but regardless of any security issues you are safe if AMT is not enabled and provisioned.

 

[lexluthermiester]

This is correct. I am on the SCS team at Intel and I work directly with AMT technologies daily. There was a security hole that has since been patched, but regardless of any security issues you are safe if AMT is not enabled and provisioned.

Not sure if you are who you claim to be, but the citation on the above post kinda proves a point. Was going to post it myself, but you got to it first.

 

[cdawall]

This is a case of "the horse wants to see the water, not be told that 'it's just over the next rise'." You say that you've seen it. I can't find anyone else who has. I Googled " "windows update" amt firmware " and got zero confirmations. On the contrary, I saw several posts that said it wasn't available on Windows Update. Pardon my skepticism, but I've heard far too many promises of what might be possible versus what actually is happening....

What do you mean you couldn't find any? Did you actually try searching?

I mean jesus christ dude.

 

[R-T-B]

"They all can be used commercially if source code is provided upon request. That's pretty much the GPL in a nutshell."

It is not under a GPL license and I doubt they would have used it if it did have a GPL.

http://www.cs.vu.nl/~ast/intel/

I was talking about Linux derivitaves in that context. Minix and others may vary.

 

[nem..]

http://omicrono.elespanol.com/2017/11/minix-sistema-operativo-mas-utilizado-mundo-nadie-conoce/
Neither Windows or Android, the most popular operating system is another and you use it without knowing it

Your Windows, your Mac or your Linux may not be alone. If you have an Intel processor on your computer, whether desktop or laptop or server, chances are you have a hidden operating system. And this system, called MINIX, has even its own secret processor.

Intel launches an artificial intelligence chip that thinks like a human MINIX, the ace up the sleeve of Intel

AMT, where Intel and MINIX come together

This is where the interesting comes from. Intel AMT (Active Management Technology), also known as Intel Management Engine, is a kind of "secret processor" that works independently of the rest of the computer. It has nothing to do with the processor you use to play or to run the computer. It is a completely differentiated chip.

And in this hidden or secret processor is where Intel has decided to use MINIX. Intel AMT is able to access any region of memory, read and write all files, and even make a web server. All without the rest of the system even knowing of its existence. And everything working with MINIX, that system that was born with an educational purpose

 

[Static~Charge]

What do you mean you couldn't find any? Did you actually try searching?

Okay, genius. First, you never said jack about using WSUS or Dell Lifecycle Controller to do the updates. You said "Last batch of dells I had run windows updates (those ones from Ms)". Second, I specifically searched for "windows update amt firmware" and "windows update intel management engine firmware", not any firmware in general.

Third, I did a proof-of-concept test today. I found a Dell OptiPlex 7010 that had been turned off for a few months. I checked the PC and found that it had BIOS A23, dated August 25, 2016. This predates the AMT vulnerability announcement. I checked in Windows (7 Pro) and saw that the last update occurred on July 27, 2017.

I downloaded and installed the INTEL-SA-00075 Detection and Mitigation Tool. It reported that the system was vulnerable.

Next, I ran Windows Update multiple times, installing all Important and Optional updates, until no more were available. None of them said jack about an update for AMT or Intel Management Engine. I ran the tool again, and the system was still vulnerable.

Next, I downloaded and installed BIOS A25, dated May 22, 2017. This release was specifically intended to fix the AMT problem. It updated the Intel Management Engine firmware from 8.1.65.1586 to 8.1.71.3608. After Windows booted up, I ran the tool one last time. The system was not vulnerable.

So, I don't know if magic fairy dust was sprinkled on your machines, but all I can say is that Windows Update has never offered firmware for any non-Microsoft computer that I've seen in all of the years that I've been doing system support.

I mean jesus christ dude.

I mean Jesus Christ, dude, if you're going to include Enterprise-grade update methods that aren't available to the average user, then you need to say so.

 

[Mirai2055]

I was talking about Linux derivitaves in that context. Minix and others may vary.

Ah np. Just trying to inform. It is accurate about GPL, I was just pointing out Minix wasn't under it. One thing that is interesting is that even though
the version of Minix that Intel used to start with in the MeBX used pre 1.0 openssl (OpenSSL before 0.9.8l is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2009-3555).
I was told by a friend of mine in security that Intel uses there own custom version of OpenSSL in AMT. Hopefully they have mitigated this vulnerability??

 

[cdawall]

Okay, genius. First, you never said jack about using WSUS or Dell Lifecycle Controller to do the updates. You said "Last batch of dells I had run windows updates (those ones from Ms)". Second, I specifically searched for "windows update amt firmware" and "windows update intel management engine firmware", not any firmware in general.

Third, I did a proof-of-concept test today. I found a Dell OptiPlex 7010 that had been turned off for a few months. I checked the PC and found that it had BIOS A23, dated August 25, 2016. This predates the AMT vulnerability announcement. I checked in Windows (7 Pro) and saw that the last update occurred on July 27, 2017.

I downloaded and installed the INTEL-SA-00075 Detection and Mitigation Tool. It reported that the system was vulnerable.

Next, I ran Windows Update multiple times, installing all Important and Optional updates, until no more were available. None of them said jack about an update for AMT or Intel Management Engine. I ran the tool again, and the system was still vulnerable.

Next, I downloaded and installed BIOS A25, dated May 22, 2017. This release was specifically intended to fix the AMT problem. It updated the Intel Management Engine firmware from 8.1.65.1586 to 8.1.71.3608. After Windows booted up, I ran the tool one last time. The system was not vulnerable.

So, I don't know if magic fairy dust was sprinkled on your machines, but all I can say is that Windows Update has never offered firmware for any non-Microsoft computer that I've seen in all of the years that I've been doing system support.


I mean Jesus Christ, dude, if you're going to include Enterprise-grade update methods that aren't available to the average user, then you need to say so.

I have mentioned multiple times this was uefi windows....so what does windows 7 have to do with it?

And just since you missed it I can get the same updates he pushed with WSUS from windows update (not enterprise) and had you read that first thread you would have noticed that he was pulling those updates from the ms server which is the same as the one a normal user grabs.

 

[Static~Charge]

I have mentioned multiple times this was uefi windows....so what does windows 7 have to do with it?

And just since you missed it I can get the same updates he pushed with WSUS from windows update (not enterprise) and had you read that first thread you would have noticed that he was pulling those updates from the ms server which is the same as the one a normal user grabs.

Windows 7 may be old, but it will run in UEFI mode, in case you didn't notice. And this is the first time you've mentioned which version of Windows doesn't apply to your statements..... As for "I have mentioned multiple times this was uefi windows" - you did not. Don't take my word for it; go back through this thread and look. You listed a Microsoft link to the "Windows UEFI firmware update platform" in post 20. In the previous post, you finally said that your statements only apply to Windows systems running in UEFI mode. It's not my fault if I can't read your mind.

 

[cdawall]

Windows 7 may be old, but it will run in UEFI mode, in case you didn't notice. And this is the first time you've mentioned which version of Windows doesn't apply to your statements..... As for "I have mentioned multiple times this was uefi windows" - you did not. Don't take my word for it; go back through this thread and look. You listed a Microsoft link to the "Windows UEFI firmware update platform" in post 20. In the previous post, you finally said that your statements only apply to Windows systems running in UEFI mode. It's not my fault if I can't read your mind.

I assumed most people would put two and two together with the link to windows uefi firmware update platform being linked, followed by information on the surface pro (uefi). I apologize that there was confusion from something that obvious. Do you need anything else spoon fed?

Windows 7 uefi also isn't fully compliant so that isn't a route anyone would take this.

But carry on arguing. I'm just going to stand here with my documents from Microsoft stating what they can and do actually do. You keep trying to prove you are correct. I guess you win other than all of the firmware updates pushed across ms's update server they don't update firmware.

 

[Static~Charge]

I assumed most people would put two and two together with the link to windows uefi firmware update platform being linked, followed by information on the surface pro (uefi). I apologize that there was confusion from something that obvious. Do you need anything else spoon fed?

No, I just need you to state the parameters under which you're operating, instead of assuming that everyone's setup is like yours.

But carry on arguing. I'm just going to stand here with my documents from Microsoft stating what they can and do actually do. You keep trying to prove you are correct. I guess you win other than all of the firmware updates pushed across ms's update server they don't update firmware.

Saying "Microsoft pushes firmware updates to users" is not a blanket statement. If the PC is running in UEFI mode, then yes, they can push firmware updates. If the PC is not running in UEFI mode, then no, they don't push firmware updates.

You assumed that everyone is running Windows in UEFI mode; I assumed that they weren't. You know the old saying: When you assume, you make an "ass" out of "u" and "me".

I'm not wasting any more time on this topic.

 

[cdawall]

No, I just need you to state the parameters under which you're operating, instead of assuming that everyone's setup is like yours.


Saying "Microsoft pushes firmware updates to users" is not a blanket statement. If the PC is running in UEFI mode, then yes, they can push firmware updates. If the PC is not running in UEFI mode, then no, they don't push firmware updates.

You assumed that everyone is running Windows in UEFI mode; I assumed that they weren't. You know the old saying: When you assume, you make an "ass" out of "u" and "me".

I'm not wasting any more time on this topic.

I thought that was blatant when I made the comment about windows 7. You know the OS you have and isn't pushing it through. Next time I'll make sure to be obsurdly specific since linking the UEFI module didn't make it click in your head.

I also stated everything post 7 which is 8/8.1/10 all of which are typically used in UEFI.

The generic Microsoft pushes firmware updates is 100% true you have made the choice to nitpick based off of a 9 year old OS.