Intel ME Firmware (SA-00086) security flaw

I tried and failed because AMT module is absent on Alienwares, only Inspiron and XPS have them.

 

More of the same on NBR Even a video

 

@VICKYGAMEBOY Did you get my PM? Did it work perfectly?

 

@Vasudev sorry i just checked.. i dint get any attachments on that tho.. but ill wait for 5 more days.. if official ones doesnt show up.. ill do it ur way. thanks btw

 

Its a MS Onedrive link

 

right now im doing some design projects.. already im having boot issues after sleep mode.. will finish my works then format the system.. ill take the link.

 

@VICKYGAMEBOY @Vasudev @Papusan Keep this thread going and update people like me on what to do with this security flaw from intel. I tried reading the melt down and spectre thread and just gets confused(sorry for being such a newbie). I won't update anything as of the moment like windows update until Vickygameboy will play GP and guide the rest of us. hehehehe.. Thanks in advanced.. ^_^

 

I'm on latest microcode of an experimental BIOS cooked up by Daz (Daz loader fame).
VICKY will be GP'ing BIOS and ME updates.

 

Not With AMD iGPU but own design... Intel dGPUs could be in the works, possible first look leaked

 

To me this is a long known IT setup issue. I had to tell many clients they weren't setting the BIOS and AMT password, and some that were setting the BIOS password but not the AMT password - they just didn't know.

Intel does document this as needing to be set by IT, but in many cases early on companies weren't used to that level of administration, didn't study up on it, and apparently many are still not doing it.

But, this isn't a backdoor flaw per se, or a design failure, it's a cost of delivery decision.

There are higher priced security devices that come with secure code keys unique to each device, and required to run them, but that would be prohibitively expensive for mass production / use laptops, there can't be unique cryptokey passwords for every laptop.

So, the value of this "discovery" and disclosure is to once again remind corporate admins, and people that for some reason like to buy overpriced laptops that have AMT capability, that they need to set the Mebx Password along with the BIOS admin password.

Who here set's the BIOS password on their personal laptops?

Better get configuring...someone can lock you out of your laptop by setting your laptop's BIOS password.

Intel AMT security locks bypassed on corp laptops – fresh research
Easy as A, B, CTRL+P
By John Leyden 12 Jan 2018 at 16:08
https://www.theregister.co.uk/2018/01/12/intel_amt_insecure/

"...A large part of the problem is that enterprises are not following Intel's guidance in practice, said F-Secure, adding that it was going public in order to draw attention to the issue.

"We discovered the issue this summer, and since discovering it, we have found it in thousands of laptops," F-Secure told El Reg. "Despite there being information available for manufacturers on how to prevent this, manufacturers are still not following best practices, leaving vast numbers of vulnerable laptops out there. Organisations and users are left to protect against this themselves, but most don’t realize this is a problem. That is why it's important to raise public awareness."
...
The issue affects most, if not all, laptops that support Intel Management Engine/Intel AMT. Chipzilla advises vendors to require the BIOS password when rolling out AMT. However, many device manufacturers do not follow this advice.

F-Secure recommends enterprises adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available. Below is a video by F-Secure on its findings..."