[opensuse] Make sure your firewall has ports 16992 & 16993 are closed
I see nothing to suggest this doesn't impact Linux installs on the affected PCs. http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re... "But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers." The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 09, 2017 at 04:29:25AM -0400, Greg Freemyer wrote:
This is actually the Intel Management Engine, which is totally out of control of the operating system. Yes, close those ports, disanble Intel ME in BIOS etc. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 4:51 AM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
Good point. They have to be closed by the network infrastructure before the packets get to the PC. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 11:28, Andrei Borzenkov a écrit :
but ordinary internet boxes do not forward ports by default
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system.
how do you "connect directly to the internet"? AFAIK you always have to go through a gateway - at least as long as clients are concerned on a server the fact is even more complicated, because you may have no access to the bios jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd@dodin.org wrote:
We have grown accustomed to NAT being everywhere, but that's not always the case. My PC is directly connected to the internet as 2a03:7520:4c68:1:21d:92ff:fe39:a132/64 -- Per Jessen, Zürich (11.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 05:43 AM, Per Jessen wrote:
I have NAT on IPv4 but, like you, global addresses for IPv6. However, my computers are behind a firewall. The only exception would be the firewall itself, which is pfSense, running on an HP computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 5:36 AM, jdd@dodin.org <jdd@dodin.org> wrote:
Lots of servers in datacenters have a IPv4 routable IP and no external firewall. I have 2 of those, but neither has Intel AMT. If they did I'd have to talk to the hosting company about how to shutdown those ports. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 03:49 AM, Greg Freemyer wrote: trimmed stuff
Or put another simple firewall upstream. Or de-provision the AMT But yes, I've always had linux as my firewall and router on the assumption that I could control it better than some flimsy and never-updated gateway router. Now some kind of small gateway router is looking better and better. Preferably something that can show you a list of connections. That's really the only way you can find any hardware embedded outbound connections AND prevent these hardware open-port back doors. My current firewall computer is too old to have this flaw. But thousands of vulnerable machines were found on the internet is a brief scan according to the articles. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
I read it to mean thousands of machines where those ports were open, but not necessarily machines vulnerable to this flaw. -- Per Jessen, Zürich (11.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 11:46 AM, Per Jessen wrote:
I read it to mean that if it is open, it is vulnerable, however it appears there may have been versions of the AMT that did not accept blank passwords. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
Yeah, that would make more sense, but a port scan does not ascertain vulnerability, only accessability. Who knows. -- Per Jessen, Zürich (7.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 05:36 AM, jdd@dodin.org wrote:
how do you "connect directly to the internet"?
Before moving to pfSense, I used openSUSE 13.1 for my firewall. That would be no different than any other computer connected directly to the Internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Dienstag, 9. Mai 2017, 11:05:17 CEST schrieb jdd@dodin.org:
...do you really trust the likes of AVM with that kind of security? I don't. But on the other hand, cloud:~ # nmap -sTU -p 16992-16993 eregion.kicks-ass.net Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-09 11:34 CEST Nmap scan report for eregion.kicks-ass.net (78.42.20.148) Host is up (0.025s latency). rDNS record for 78.42.20.148: HSI-KBW-078-042-020-148.hsi3.kabel- badenwuerttemberg.de PORT STATE SERVICE 16992/tcp filtered amt-soap-http 16993/tcp filtered amt-soap-https 16992/udp filtered unknown 16993/udp filtered unknown looks good to me. cheers Mathias -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 01:34 AM, Marcus Meissner wrote:
According to Intel, these are the affected ports: 16992, 16993, 16994, 16995, 623, and 664. Note that it may not be possible to disable IME in the bios. I asked our vendor if we were vulnerable (we use Supermicro boards) and they replied: "A recent security issue (CVE-2017-5689) associated with Intel AMT was published on Intel's website on 5/1/17: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&langu... -- This vulnerability is exposed on platforms that use the ME firmware variant in the BIOS that enables AMT for system management. Supermicro Server and Storage product lines are not impacted by this vulnerability as system management is handled by the SPS firmware variant in the BIOS that enables system management through the BMC." Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay. Plug-in Ethernet boards would also be safe. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
Yeah, that's a Supermicro special I think. We have quite a few Supermicro dedicated servers - the first ethernet port essentially has two MACs - one for the BMC, one for normal use. For the BMC, we use a private network range. -- Per Jessen, Zürich (13.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
09.05.2017 18:14, Per Jessen пишет:
Shared LAN is part of IPMI standard. I am aware of at least one other server vendor that offers both dedicated BMC and shared port (selected via firmware setup). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
I wasn't aware it is part of the standard. Both our IBM and our HP boxes have separate ports. I think the HP iLOs have some option for sharing too though. The Supermicro port is a little special - needs a module option to disable crc check or something like that. -- Per Jessen, Zürich (12.3°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 11:26 AM, Per Jessen wrote:
Our Supermicro mobos have a dedicated IPMI RJ-45 that if not active, will fallover to the first motherboard RJ-45. This can be very confusing when you run with a network switch that doesn't allow multiple MAC addresses on a single interface! Our older Supermicros would unconditionally fallover, but later ones have a control in the BIOS that you can use to disable that unfortunate characteristic. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 04:53 PM, Lew Wolfgang wrote:
???? A single interface, connected to a switch could have several MACs, for all the computers that connect through the other switch. . -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On May 9, 2017 1:53:42 PM PDT, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
Where do you find a switch that can only support one machine address per port? Is that something you sought out for security reasons? Sounds like built in obsolescence to me. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 07:15 PM, John Andersen wrote:
It wasn't my idea! We had to use the switches the customer provided that used MAC address authentication. The MAC address had to be pre-registered in an LDAP database. The MAC could be used anywhere on the network, but an un-registered MAC would be connected to a "rogue" VLAN. The IPMI fallover MAC address on the Supermicro motherboards would bump the switch and you'd wind up in quarantine. They then tightened it down even further where any one switch port could only register one MAC at a time. They did this to control virtual hosting. Very confusing until you figure out what was going on. Intermittent loss of connectivity. Connecting to eth1 on the motherboard and registering that MAC fixed everything. I believe they were Brocade Fastiron switches. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 10:15 PM, John Andersen wrote:
Some managed switches can be configured for the number of permissible MAC addresses and even allowed ones. This is for security purposes, but generally, switches can have more than one MAC on a port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd@dodin.org wrote:
Only for Intel AMT - who in their right mind would open for external access to that .... -- Per Jessen, Zürich (9.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 4:50 AM, Per Jessen <per@computer.org> wrote:
The article says Internet scans for the ports have found about 9000 unprotected PCs, so it is done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
The article says Internet scans for the ports have found about 9000 unprotected PCs, so it is done.
Apparently some Intel business PCs have AMT installed. It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue. /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 11:13, Per Jessen a écrit :
as said on an other post, this is done before the OS load and so the OS firewall is not concerned, but the gateway should jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 02:13 AM, Per Jessen wrote:
It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue.
You are forgetting the fact that the AMT is often included on a class of machine that may ITSELF BE THE FIREWALL ROUTER GATEWAY for small to medium installations. So the only thing upstream of it is a pass-through configured modem to one of dozens of commercial broadband providers. Buddy of mine works for a State Government, and although the entire network is run on VPNs, they have literally hundreds of these boxes in field offices all over the state. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tuesday 09 May 2017, Per Jessen wrote:
Business laptops also have iAMT. They usually also run within public WiFi. Even real life enemies (not only robots) may attack your machine there. Moreover iAMT is designed (AFAIR in opposite to IPMI) to be able to "call home" through any firewall. To make the administrator able to help even when the user and machine are on a business trip. Though don't now whether this is related to this particular attack. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 10:50, Per Jessen a écrit :
Only for Intel AMT - who in their right mind would open for external access to that ....
not me but I know of gamers that are not that clever :-) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
With most firewalls, you have to open a port. They're normally all closed by default. I use pfSense here and previously used openSUSE for my firewall. I have to specifically enable any port I want to use. On 05/09/2017 04:29 AM, Greg Freemyer wrote:
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 7:50 AM, James Knott <james.knott@rogers.com> wrote:
James, I assume you saw that no software firewall in the vulnerable server can block these sockets. You have to block the packets before they get to the server. Now if you're using a standalone non-vulnerable openSUSE box as your firewall, that's fine for protecting systems behind it. It just can't protect itself.. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 09:20 AM, Greg Freemyer wrote:
My firewall is pfSense on an old computer. I used to use openSUSE, but I couldn't get it to work with DHCPv6-PD. I'll have to see if the HP computer that pfSense is running on has that "feature". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-05-09 21:03, John Andersen wrote:
I read the link in the first post (there were no other links posted when I asked, I still have other posts to read). I don't know what ARS is. I see it is something Intel, but what? Intel mother boards? The CPU? The network card? What can act on its own without the firewall intervention and respond to network packets on those ports, without the operating system intervention? It must be something with CPU independent from the main CPU..., or the OS would see it. I don't understand. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On Tue, May 9, 2017 at 7:16 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
From https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
"AMT is designed into a secondary (service) processor located on the motherboard" Intel mother boards? The CPU? The
Yes you do. If an enterprise puts a server in a datacenter and they need remote console access they need a way to do it. Lots of hardware solutions for that. This is one of them. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-05-10 04:05, Greg Freemyer wrote:
That link is instructive. I found it some minutes ago and was reading it :-)
I understand now, after reading the wikipedia article. Not everybody here has enterprise class hardware with that class of stuff, and uses it ;-) But apparently to make use of that "access port" you need specific software from Intel and others, and it is not cheap. I saw mention of even tablets having this thing, it may come included with some Intel processors (and AMD). Thus I don't see very clearly what kind of machines really have this thing. Or how to find out if a machine really has it or not. I'm not sure nmap does it (yes, I saw the example, I tried my machines, I'm not convinced). My entry firewall has those ports closed, I saw. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2017-05-10 04:18, Carlos E. R. wrote:
This other link explains a lot: http://mjg59.dreamwidth.org/48429.html -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (11)
-
Andrei Borzenkov -
Carlos E. R. -
Greg Freemyer -
James Knott -
jdd@dodin.org -
John Andersen -
Lew Wolfgang -
Marcus Meissner -
Mathias Homann -
Per Jessen -
Ruediger Meier