Intel platforms from 2008 onwards have a remotely exploitable security hole

gofer_touch

gofer_touch

Happy patching!

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

Every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine)

https://www.reddit.com/r/linux/comments/68ma1a/every_intel_platform_with_amt_ism_and_sbt_from/

Intel platforms from 2008 onwards have a remotely exploitable security hole
https://news.ycombinator.com/item?id=14237266
 
Intel's getting the short end of the stick lately. Their screw up with the C2000 Atom CPUs, then their Puma6 chipset, now this. What the heck are they doing?
 
So between Aspeed AST2400 BMC and EFI we still have many more disclosures coming.
The whole ship is rotten and every server in the rack is affected.
Long live coreboot.
 
Phishfry said:
So between Aspeed AST2400 BMC and EFI we still have many more disclosures coming.
The whole ship is rotten and every server in the rack is affected.
Long live coreboot.
Click to expand...

Ha! The whole FLEET is rotten.

Can't wait to get my hands on a shiny new RISC-V machine! At least then I'll know what's inside if the sticker says "xxxxx inside" (or so the theory goes).
 
Yes, this is the way with anything: anything that has a "black box" component inside (in other words a box that you, the customer, don't have source code / blueprints for) and you can not know if there are backdoors ore other problems ahead, you can only hope.
 
Carpetsmoker said:
Perhaps the worst part is that Intel has known this for about five years but did nothing.

It looks like AMD is starting to offer competitive chips again, and not a moment too soon. Two manufacturers to choose from is still not a real free market, but it's a lot better than just one manufacturer to "choose" from.
Click to expand...

I think there may be too few eyes examining a lot of very terse code in some of the proprietary stuff. Some companies allocate development resources up to the point that "it works". In academia, OTOH, the resources are allocated to allow pontification of every little nuance, ad nauseum. Sometimes, they never get past the "pondering and pontificating" part of the subject. But ...

I like the RISC-V project. It has a better chance than previous efforts. They're handling the pontification portion of the project real well, and thanks to the instruction set and other internals that are no longer being controlled by NDAs and other encumberances, the various uni's can actually collaborate on this. So MIT and Princeton have been working on parts related to the massive parallelism that the eco-system is being tuned to use (some tests designed around 1000+ cores), while Berkeley and various alumni are spearheading the effort. There are spin-offs already that have actually made stuff. They say the synergy between the unis is like it's never been before, in terms of cooperation. So, something may result from the effort. There are plenty of eyes on it, and I'm certainly going to keep an eye on it myself ...
 
You must log in or register to reply here.
Back
Top