[opensuse] Make sure your firewall has ports 16992 & 16993 are closed
I see nothing to suggest this doesn't impact Linux installs on the affected PCs. http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re... "But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers." The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 09, 2017 at 04:29:25AM -0400, Greg Freemyer wrote:
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
This is actually the Intel Management Engine, which is totally out of control of the operating system. Yes, close those ports, disanble Intel ME in BIOS etc. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
9 мая 2017 г., в 11:34, Marcus Meissner <meissner@suse.de> написал(а):
On Tue, May 09, 2017 at 04:29:25AM -0400, Greg Freemyer wrote: I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
This is actually the Intel Management Engine, which is totally out of control of the operating system.
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.
Yes, close those ports, disanble Intel ME in BIOS etc.
Ciao, Marcus
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 4:51 AM, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
Отправлено с iPhone
9 мая 2017 г., в 11:34, Marcus Meissner <meissner@suse.de> написал(а):
On Tue, May 09, 2017 at 04:29:25AM -0400, Greg Freemyer wrote: I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
This is actually the Intel Management Engine, which is totally out of control of the operating system.
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.
Good point. They have to be closed by the network infrastructure before the packets get to the PC. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 11:01, Greg Freemyer a écrit :
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.
Good point. They have to be closed by the network infrastructure before the packets get to the PC.
but ordinary internet boxes do not forward ports by default (that I know of) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Отправлено с iPhone
9 мая 2017 г., в 12:05, "jdd@dodin.org" <jdd@dodin.org> написал(а):
Le 09/05/2017 à 11:01, Greg Freemyer a écrit :
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.
Good point. They have to be closed by the network infrastructure before the packets get to the PC.
but ordinary internet boxes do not forward ports by default
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 11:28, Andrei Borzenkov a écrit :
but ordinary internet boxes do not forward ports by default
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system.
how do you "connect directly to the internet"? AFAIK you always have to go through a gateway - at least as long as clients are concerned on a server the fact is even more complicated, because you may have no access to the bios jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd@dodin.org wrote:
Le 09/05/2017 à 11:28, Andrei Borzenkov a écrit :
but ordinary internet boxes do not forward ports by default
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system.
how do you "connect directly to the internet"? AFAIK you always have to go through a gateway - at least as long as clients are concerned
We have grown accustomed to NAT being everywhere, but that's not always the case. My PC is directly connected to the internet as 2a03:7520:4c68:1:21d:92ff:fe39:a132/64 -- Per Jessen, Zürich (11.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 05:43 AM, Per Jessen wrote:
We have grown accustomed to NAT being everywhere, but that's not always the case. My PC is directly connected to the internet as 2a03:7520:4c68:1:21d:92ff:fe39:a132/64
I have NAT on IPv4 but, like you, global addresses for IPv6. However, my computers are behind a firewall. The only exception would be the firewall itself, which is pfSense, running on an HP computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 5:36 AM, jdd@dodin.org <jdd@dodin.org> wrote:
Le 09/05/2017 à 11:28, Andrei Borzenkov a écrit :
but ordinary internet boxes do not forward ports by default
Who says about forwarding? If you connect your system directly to internet, you may think you are protected because you have firewall on your system.
how do you "connect directly to the internet"? AFAIK you always have to go through a gateway - at least as long as clients are concerned
on a server the fact is even more complicated, because you may have no access to the bios
jdd
Lots of servers in datacenters have a IPv4 routable IP and no external firewall. I have 2 of those, but neither has Intel AMT. If they did I'd have to talk to the hosting company about how to shutdown those ports. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 03:49 AM, Greg Freemyer wrote: trimmed stuff
Lots of servers in datacenters have a IPv4 routable IP and no external firewall. I have 2 of those, but neither has Intel AMT. If they did I'd have to talk to the hosting company about how to shutdown those ports.
Or put another simple firewall upstream. Or de-provision the AMT But yes, I've always had linux as my firewall and router on the assumption that I could control it better than some flimsy and never-updated gateway router. Now some kind of small gateway router is looking better and better. Preferably something that can show you a list of connections. That's really the only way you can find any hardware embedded outbound connections AND prevent these hardware open-port back doors. My current firewall computer is too old to have this flaw. But thousands of vulnerable machines were found on the internet is a brief scan according to the articles. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 05/09/2017 03:49 AM, Greg Freemyer wrote:
trimmed stuff
Lots of servers in datacenters have a IPv4 routable IP and no external firewall. I have 2 of those, but neither has Intel AMT. If they did I'd have to talk to the hosting company about how to shutdown those ports.
Or put another simple firewall upstream. Or de-provision the AMT
But yes, I've always had linux as my firewall and router on the assumption that I could control it better than some flimsy and never-updated gateway router. Now some kind of small gateway router is looking better and better. Preferably something that can show you a list of connections.
That's really the only way you can find any hardware embedded outbound connections AND prevent these hardware open-port back doors.
My current firewall computer is too old to have this flaw.
But thousands of vulnerable machines were found on the internet is a brief scan according to the articles.
I read it to mean thousands of machines where those ports were open, but not necessarily machines vulnerable to this flaw. -- Per Jessen, Zürich (11.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 11:46 AM, Per Jessen wrote:
But thousands of vulnerable machines were found on the internet is a brief scan according to the articles. I read it to mean thousands of machines where those ports were open, but not necessarily machines vulnerable to this flaw.
I read it to mean that if it is open, it is vulnerable, however it appears there may have been versions of the AMT that did not accept blank passwords. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 05/09/2017 11:46 AM, Per Jessen wrote:
But thousands of vulnerable machines were found on the internet is a brief scan according to the articles. I read it to mean thousands of machines where those ports were open, but not necessarily machines vulnerable to this flaw.
I read it to mean that if it is open, it is vulnerable,
Yeah, that would make more sense, but a port scan does not ascertain vulnerability, only accessability. Who knows. -- Per Jessen, Zürich (7.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 05:36 AM, jdd@dodin.org wrote:
how do you "connect directly to the internet"?
Before moving to pfSense, I used openSUSE 13.1 for my firewall. That would be no different than any other computer connected directly to the Internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Dienstag, 9. Mai 2017, 11:05:17 CEST schrieb jdd@dodin.org:
Le 09/05/2017 à 11:01, Greg Freemyer a écrit :
To add - those ports are intercepted by IME before reaching OS. So they are not related to open ports in OS which is running on this system, and closing those ports *in OS* won't fix it in any way.> Good point. They have to be closed by the network infrastructure before the packets get to the PC.
but ordinary internet boxes do not forward ports by default (that I know of)
jdd
...do you really trust the likes of AVM with that kind of security? I don't. But on the other hand, cloud:~ # nmap -sTU -p 16992-16993 eregion.kicks-ass.net Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-09 11:34 CEST Nmap scan report for eregion.kicks-ass.net (78.42.20.148) Host is up (0.025s latency). rDNS record for 78.42.20.148: HSI-KBW-078-042-020-148.hsi3.kabel- badenwuerttemberg.de PORT STATE SERVICE 16992/tcp filtered amt-soap-http 16993/tcp filtered amt-soap-https 16992/udp filtered unknown 16993/udp filtered unknown looks good to me. cheers Mathias -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 01:34 AM, Marcus Meissner wrote:
On Tue, May 09, 2017 at 04:29:25AM -0400, Greg Freemyer wrote:
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI. This is actually the Intel Management Engine, which is totally out of control of the operating system.
Yes, close those ports, disanble Intel ME in BIOS etc.
According to Intel, these are the affected ports: 16992, 16993, 16994, 16995, 623, and 664. Note that it may not be possible to disable IME in the bios. I asked our vendor if we were vulnerable (we use Supermicro boards) and they replied: "A recent security issue (CVE-2017-5689) associated with Intel AMT was published on Intel's website on 5/1/17: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr -- This vulnerability is exposed on platforms that use the ME firmware variant in the BIOS that enables AMT for system management. Supermicro Server and Storage product lines are not impacted by this vulnerability as system management is handled by the SPS firmware variant in the BIOS that enables system management through the BMC." Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay. Plug-in Ethernet boards would also be safe. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay.
Yeah, that's a Supermicro special I think. We have quite a few Supermicro dedicated servers - the first ethernet port essentially has two MACs - one for the BMC, one for normal use. For the BMC, we use a private network range. -- Per Jessen, Zürich (13.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
09.05.2017 18:14, Per Jessen пишет:
Lew Wolfgang wrote:
Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay.
Yeah, that's a Supermicro special I think.
Shared LAN is part of IPMI standard. I am aware of at least one other server vendor that offers both dedicated BMC and shared port (selected via firmware setup). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
09.05.2017 18:14, Per Jessen пишет:
Lew Wolfgang wrote:
Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay.
Yeah, that's a Supermicro special I think.
Shared LAN is part of IPMI standard. I am aware of at least one other server vendor that offers both dedicated BMC and shared port (selected via firmware setup).
I wasn't aware it is part of the standard. Both our IBM and our HP boxes have separate ports. I think the HP iLOs have some option for sharing too though. The Supermicro port is a little special - needs a module option to disable crc check or something like that. -- Per Jessen, Zürich (12.3°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 11:26 AM, Per Jessen wrote:
Andrei Borzenkov wrote:
09.05.2017 18:14, Per Jessen пишет:
Lew Wolfgang wrote:
Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay. Yeah, that's a Supermicro special I think. Shared LAN is part of IPMI standard. I am aware of at least one other server vendor that offers both dedicated BMC and shared port (selected via firmware setup). I wasn't aware it is part of the standard. Both our IBM and our HP boxes have separate ports. I think the HP iLOs have some option for sharing too though. The Supermicro port is a little special - needs a module option to disable crc check or something like that.
Our Supermicro mobos have a dedicated IPMI RJ-45 that if not active, will fallover to the first motherboard RJ-45. This can be very confusing when you run with a network switch that doesn't allow multiple MAC addresses on a single interface! Our older Supermicros would unconditionally fallover, but later ones have a control in the BIOS that you can use to disable that unfortunate characteristic. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 04:53 PM, Lew Wolfgang wrote:
This can be very confusing when you run with a network switch that doesn't allow multiple MAC addresses on a single interface!
???? A single interface, connected to a switch could have several MACs, for all the computers that connect through the other switch. . -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On May 9, 2017 1:53:42 PM PDT, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 05/09/2017 11:26 AM, Per Jessen wrote:
Andrei Borzenkov wrote:
09.05.2017 18:14, Per Jessen пишет:
Lew Wolfgang wrote:
Also note that only the first (eth0) port on Supermicro motherboards are affected. If you use the second (eth1) motherboard port for external connectivity you should be okay. Yeah, that's a Supermicro special I think. Shared LAN is part of IPMI standard. I am aware of at least one other server vendor that offers both dedicated BMC and shared port (selected via firmware setup). I wasn't aware it is part of the standard. Both our IBM and our HP boxes have separate ports. I think the HP iLOs have some option for sharing too though. The Supermicro port is a little special - needs a module option to disable crc check or something like that.
Our Supermicro mobos have a dedicated IPMI RJ-45 that if not active, will fallover to the first motherboard RJ-45. This can be very confusing when you run with a network switch that doesn't allow multiple MAC addresses on a single interface! Our older Supermicros would unconditionally fallover, but later ones have a control in the BIOS that you can use to disable that unfortunate characteristic.
Regards, Lew
Where do you find a switch that can only support one machine address per port? Is that something you sought out for security reasons? Sounds like built in obsolescence to me. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 07:15 PM, John Andersen wrote:
On May 9, 2017 1:53:42 PM PDT, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
Our Supermicro mobos have a dedicated IPMI RJ-45 that if not active, will fallover to the first motherboard RJ-45. This can be very confusing when you run with a network switch that doesn't allow multiple MAC addresses on a single interface! Our older Supermicros would unconditionally fallover, but later ones have a control in the BIOS that you can use to disable that unfortunate characteristic.
Regards, Lew Where do you find a switch that can only support one machine address per port?
Is that something you sought out for security reasons?
Sounds like built in obsolescence to me.
It wasn't my idea! We had to use the switches the customer provided that used MAC address authentication. The MAC address had to be pre-registered in an LDAP database. The MAC could be used anywhere on the network, but an un-registered MAC would be connected to a "rogue" VLAN. The IPMI fallover MAC address on the Supermicro motherboards would bump the switch and you'd wind up in quarantine. They then tightened it down even further where any one switch port could only register one MAC at a time. They did this to control virtual hosting. Very confusing until you figure out what was going on. Intermittent loss of connectivity. Connecting to eth1 on the motherboard and registering that MAC fixed everything. I believe they were Brocade Fastiron switches. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 10:15 PM, John Andersen wrote:
Where do you find a switch that can only support one machine address per port?
Is that something you sought out for security reasons?
Sounds like built in obsolescence to me.
Some managed switches can be configured for the number of permissible MAC addresses and even allowed ones. This is for security purposes, but generally, switches can have more than one MAC on a port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 10:29, Greg Freemyer a écrit :
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
Greg -- Greg Freemyer
my this be oppened without us knowing? (are these ports used by common applications?) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd@dodin.org wrote:
Le 09/05/2017 à 10:29, Greg Freemyer a écrit :
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
Greg -- Greg Freemyer
my this be oppened without us knowing? (are these ports used by common applications?)
Only for Intel AMT - who in their right mind would open for external access to that .... -- Per Jessen, Zürich (9.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 4:50 AM, Per Jessen <per@computer.org> wrote:
jdd@dodin.org wrote:
Le 09/05/2017 à 10:29, Greg Freemyer a écrit :
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
Greg -- Greg Freemyer
my this be oppened without us knowing? (are these ports used by common applications?)
Only for Intel AMT - who in their right mind would open for external access to that ....
The article says Internet scans for the ports have found about 9000 unprotected PCs, so it is done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
The article says Internet scans for the ports have found about 9000 unprotected PCs, so it is done.
Apparently some Intel business PCs have AMT installed. It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue. /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 11:13, Per Jessen a écrit :
It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue.
as said on an other post, this is done before the OS load and so the OS firewall is not concerned, but the gateway should jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 02:13 AM, Per Jessen wrote:
It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue.
You are forgetting the fact that the AMT is often included on a class of machine that may ITSELF BE THE FIREWALL ROUTER GATEWAY for small to medium installations. So the only thing upstream of it is a pass-through configured modem to one of dozens of commercial broadband providers. Buddy of mine works for a State Government, and although the entire network is run on VPNs, they have literally hundreds of these boxes in field offices all over the state. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tuesday 09 May 2017, Per Jessen wrote:
Greg Freemyer wrote:
The article says Internet scans for the ports have found about 9000 unprotected PCs, so it is done.
Apparently some Intel business PCs have AMT installed.
It's a critical bug, but only a risk to anyone who've been silly enough to open the firewall for external access to that Intel Management thingie. Unless I've completely misunderstood the issue.
Business laptops also have iAMT. They usually also run within public WiFi. Even real life enemies (not only robots) may attack your machine there. Moreover iAMT is designed (AFAIR in opposite to IPMI) to be able to "call home" through any firewall. To make the administrator able to help even when the user and machine are on a business trip. Though don't now whether this is related to this particular attack. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/05/2017 à 10:50, Per Jessen a écrit :
Only for Intel AMT - who in their right mind would open for external access to that ....
not me but I know of gamers that are not that clever :-) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
With most firewalls, you have to open a port. They're normally all closed by default. I use pfSense here and previously used openSUSE for my firewall. I have to specifically enable any port I want to use. On 05/09/2017 04:29 AM, Greg Freemyer wrote:
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
Greg -- Greg Freemyer
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 9, 2017 at 7:50 AM, James Knott <james.knott@rogers.com> wrote:
With most firewalls, you have to open a port. They're normally all closed by default. I use pfSense here and previously used openSUSE for my firewall. I have to specifically enable any port I want to use.
James, I assume you saw that no software firewall in the vulnerable server can block these sockets. You have to block the packets before they get to the server. Now if you're using a standalone non-vulnerable openSUSE box as your firewall, that's fine for protecting systems behind it. It just can't protect itself.. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 09:20 AM, Greg Freemyer wrote:
On Tue, May 9, 2017 at 7:50 AM, James Knott <james.knott@rogers.com> wrote:
With most firewalls, you have to open a port. They're normally all closed by default. I use pfSense here and previously used openSUSE for my firewall. I have to specifically enable any port I want to use.
James,
I assume you saw that no software firewall in the vulnerable server can block these sockets. You have to block the packets before they get to the server.
Now if you're using a standalone non-vulnerable openSUSE box as your firewall, that's fine for protecting systems behind it. It just can't protect itself..
Greg
My firewall is pfSense on an old computer. I used to use openSUSE, but I couldn't get it to work with DHCPv6-PD. I'll have to see if the HP computer that pfSense is running on has that "feature". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/09/2017 03:59 PM, James Knott wrote:
On 05/09/2017 09:20 AM, Greg Freemyer wrote:
On Tue, May 9, 2017 at 7:50 AM, James Knott <james.knott@rogers.com> wrote:
With most firewalls, you have to open a port. They're normally all closed by default. I use pfSense here and previously used openSUSE for my firewall. I have to specifically enable any port I want to use.
James,
I assume you saw that no software firewall in the vulnerable server can block these sockets. You have to block the packets before they get to the server.
Now if you're using a standalone non-vulnerable openSUSE box as your firewall, that's fine for protecting systems behind it. It just can't protect itself..
Greg
My firewall is pfSense on an old computer. I used to use openSUSE, but I couldn't get it to work with DHCPv6-PD. I'll have to see if the HP computer that pfSense is running on has that "feature".
My firewall computer has an AMD Athlon CPU, so it's safe. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-05-09 10:29, Greg Freemyer wrote:
I see nothing to suggest this doesn't impact Linux installs on the affected PCs.
http://www.zdnet.com/article/intel-chip-vulnerability-lets-hackers-easily-re...
"But Embedi warned that any affected internet-facing device with open ports 16992 and 16993 are at risk. "Access to ports 16992/16993 are the only requirement to perform a successful attack," said the Embedi researchers."
The bug is pretty horrendous and gives remote attackers access to the remote console. If you have auto-login enabled it may give the attacker a nice logged in GUI.
What types of machines are affected? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2017-05-09 21:03, John Andersen wrote:
On 05/09/2017 08:34 AM, Carlos E. R. wrote:
What types of machines are affected?
Hundreds. follow the links in thread or just read ARS. The story is all over the press.
I read the link in the first post (there were no other links posted when I asked, I still have other posts to read). I don't know what ARS is. I see it is something Intel, but what? Intel mother boards? The CPU? The network card? What can act on its own without the firewall intervention and respond to network packets on those ports, without the operating system intervention? It must be something with CPU independent from the main CPU..., or the OS would see it. I don't understand. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On Tue, May 9, 2017 at 7:16 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2017-05-09 21:03, John Andersen wrote:
On 05/09/2017 08:34 AM, Carlos E. R. wrote:
What types of machines are affected?
Hundreds. follow the links in thread or just read ARS. The story is all over the press.
I read the link in the first post (there were no other links posted when I asked, I still have other posts to read). I don't know what ARS is.
I see it is something Intel, but what?
From https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
"AMT is designed into a secondary (service) processor located on the motherboard" Intel mother boards? The CPU? The
network card? What can act on its own without the firewall intervention and respond to network packets on those ports, without the operating system intervention? It must be something with CPU independent from the main CPU..., or the OS would see it.
I don't understand.
Yes you do. If an enterprise puts a server in a datacenter and they need remote console access they need a way to do it. Lots of hardware solutions for that. This is one of them. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-05-10 04:05, Greg Freemyer wrote:
On Tue, May 9, 2017 at 7:16 PM, Carlos E. R. <> wrote:
On 2017-05-09 21:03, John Andersen wrote:
On 05/09/2017 08:34 AM, Carlos E. R. wrote:
What types of machines are affected?
Hundreds. follow the links in thread or just read ARS. The story is all over the press.
I read the link in the first post (there were no other links posted when I asked, I still have other posts to read). I don't know what ARS is.
I see it is something Intel, but what?
From https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
"AMT is designed into a secondary (service) processor located on the motherboard"
That link is instructive. I found it some minutes ago and was reading it :-)
Intel mother boards? The CPU? The
network card? What can act on its own without the firewall intervention and respond to network packets on those ports, without the operating system intervention? It must be something with CPU independent from the main CPU..., or the OS would see it.
I don't understand.
Yes you do.
If an enterprise puts a server in a datacenter and they need remote console access they need a way to do it. Lots of hardware solutions for that. This is one of them.
I understand now, after reading the wikipedia article. Not everybody here has enterprise class hardware with that class of stuff, and uses it ;-) But apparently to make use of that "access port" you need specific software from Intel and others, and it is not cheap. I saw mention of even tablets having this thing, it may come included with some Intel processors (and AMD). Thus I don't see very clearly what kind of machines really have this thing. Or how to find out if a machine really has it or not. I'm not sure nmap does it (yes, I saw the example, I tried my machines, I'm not convinced). My entry firewall has those ports closed, I saw. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2017-05-10 04:18, Carlos E. R. wrote:
On 2017-05-10 04:05, Greg Freemyer wrote:
On Tue, May 9, 2017 at 7:16 PM, Carlos E. R. <> wrote:
On 2017-05-09 21:03, John Andersen wrote:
On 05/09/2017 08:34 AM, Carlos E. R. wrote:
What types of machines are affected?
Hundreds. follow the links in thread or just read ARS. The story is all over the press.
I read the link in the first post (there were no other links posted when I asked, I still have other posts to read). I don't know what ARS is.
I see it is something Intel, but what?
From https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
"AMT is designed into a secondary (service) processor located on the motherboard"
That link is instructive. I found it some minutes ago and was reading it :-)
This other link explains a lot: http://mjg59.dreamwidth.org/48429.html -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (11)
-
Andrei Borzenkov -
Carlos E. R. -
Greg Freemyer -
James Knott -
jdd@dodin.org -
John Andersen -
Lew Wolfgang -
Marcus Meissner -
Mathias Homann -
Per Jessen -
Ruediger Meier