On 2017-05-10 23:27, Carlos Ayala wrote:
2017-05-10 16:23 GMT-05:00 Carlos Ayala <>:
2017-05-10 16:10 GMT-05:00 Carlos E. R. <>:
¿Ese bug no lo habían parchado ya? Vi unos titulares de problemas graves con chips intel en /. pero nada más. =| Hmm Aquí la nota de /. https://hardware.slashdot.org/story/17/05/01/228211/intel-patches-remote-exe...
According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks. O sea, que dependes de que el fabricante de tu máquina publique una actualización del firmware, y de que te enteres. No tengo muy claro de que clases de máquinas se trata. Si todos los i7 lo llevan, hay un montón de afectados, salvo que necesiten más cosas en la placa que pueden llevar o no.
¡¡Diantres!! Me olvidé de editar el destino del mensaje. =( En este comentario dan algunos datos curiosos: https://hardware.slashdot.org/comments.pl?sid=10557875&cid=54339489
As for not running Windows, that won't help. Further down the page linked above, it has instructions for Linux on how to see whether you are vulnerable. It also says:
However, an attacker who enables emulated serial support may be able to use that to configure grub
to enable serial console. Remote graphical console seems to be problematic under Linux but some people claim to have it working, so an attacker would be able to interact with your graphical console as if you were physically present. Yes, this is terrifying.
Mencionan este otro enlace: http://mjg59.dreamwidth.org/48429.html Ese explican mejor de que va la cosa. How bad is this **************** That depends. Unless you've explicitly enabled AMT at any point, you're probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don't have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though… How do I know if I have it enabled? *********************************** Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things: 1) A supported CPU 2) A supported chipset 3) Supported network hardware 4) The ME firmware to contain the AMT firmware Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT. Does this mean every Intel system built since 2008 can be taken over by hackers? ********************************************************************** No. Most Intel systems don't ship with AMT. Most Intel systems with AMT don't have it turned on. Is this a big deal anyway? ************************** Yes. Fixing this requires a system firmware update in order to provide new ME firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix. Anyone who ever enables AMT on one of these devices will be vulnerable. That's ignoring the fact that firmware updates are rarely flagged as security critical (they don't generally come via Windows update), so even when updates are made available, users probably won't know about them or install them.
-- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)