Daily Archives: May 18, 2017

Intel works with system vendors to address AMT vulnerability

In early May, Intel began the process of making available updates to resolve 2 critical security vulnerabilities within the hardware of corporate Intel systems. Security researchers located vulnerabilities within the co-processor which has the role of a management engine and to provide further features as part of Intel’s vPro technology. vPro allows IT teams to remotely administer systems (e.g. determine a systems status regardless of its condition, power on/power off, restart etc.) and provides capabilities including secure wiping of data should the device be lost or stolen.

Why should these vulnerabilities be considered important?
As documented within Intel’s advisory: The first vulnerability allows a remote attacker to gain system level privileges (the highest privileges available)(defined) thus allowing them to make any changes they wish to the affected system. This applies to systems with Intel Active Management Technology (AMT) or Intel® Standard Manageability (ISM) enabled.

The second vulnerability allows an attacker already located within your internal/corporate network to gain network or local system privileges on affected systems. This vulnerability affects AMT and systems with Intel Small Business Technology (SBT) enabled. Definitions for AMT, ISM and SBT are available from Intel. A useful FAQ on the vulnerabilities is available here.

Vulnerable systems are very likely to be in use by many corporate organisations and small businesses. The version numbers of the affected Intel technologies are listed within US-CERTs advisory. All Intel systems which have Intel Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology enabled are vulnerable. Such systems have been in production for more than nine years.

It should be noted that only business configured devices have such enablement capabilities, the same vulnerabilities do not exist on consumer devices.  However, given the increasingly blurry distinction between user and business devices, especially with concepts such as Bring your own device (BYOD)(defined) these issues can easily be widespread and will take time to address. Intel has published steps which will help to identify affected systems.  A tool is also available from Intel’s download center.

For this vulnerability to be successfully exploited the Active Management Technology (AMT) must be configured to support remote administration.  This tool is not configured by default.

Moreover while the above mentioned three management technologies are vulnerable, the first vulnerability can only be exploited if Active Management Technology (AMT) is provisioned. If not provisioned, the second vulnerability applies.

These vulnerabilities are particularly severe since the management engine co-processor (mentioned above) can access any memory region within an affected system without the primary Intel processor (CPU)(defined) being aware of it. The co-processor can send, receive, read/write data travelling on your network below the level at which firewalls operate thus bypassing them. The management engine can also read and write to the systems storage device (a hard drive) upon the successful authorisation of a user. The co-processor also has read and write access to the devices screen (your monitor) all while remaining undetected and unlogged (events are not captured within the logs of your operating systems making detection by SIEMs (defined) unviable).

How can I protect myself from these vulnerabilities?
Intel has created a list of affected vendors which links to their respective websites including the status of the availability of updates as well as already completed/available updates.

While the preparation of updates is in progress, the following mitigation options are available:

  1. Un-provisioning Intel manageability SKU (stock keeping unit) clients to mitigate unprivileged network attacker from gaining system privileges (Unprovisioning Tool v1.0)
  2. Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges
  3. Optionally configuring local manageability configuration restrictions

Unfortunately it will take time for vendors to issue updates for all affected systems. If you are in any doubt if your systems are affected, please contact them. In addition, please continue to access the list of vendor websites (provided above) to monitor when the updates to your systems become available. If due dates are instead present at this time, you can schedule a downtime window for these systems to be updated.

Thank you.

What is a stock keeping unit (SKU)?

It refers to a specific item stored to a specific location. The SKU is intended as the most disaggregated level when dealing with inventory (Source)

HP audio driver contained keylogger

Late last week it was announced the security firm Swiss security firm ModZero had responsibly disclosed (defined) to HP back in early April 2017 their discovery of an audio driver (Conexant HD Audio) containing a keylogger. The driver is known to be present on 28 HP devices (listed here).

Conexant also creates drivers to Asus, Lenovo and Dell, at this time it is not clear if they use the same driver (security analysts have been unable to discover any other devices using the affected driver).

How can I tell if my HP (or other device) is affected by this vulnerability?
This BleepingComputer article explains how to check for this vulnerability.

Why should this vulnerability be considered important?
The affected audio driver (versions up to and including contained the issue with the issue first being created in December 2015. Thus it has the potential to have gathered a vast quantity of information since this time.

Not only does the driver record key presses (using a low-level keyboard input hook (defined)) but the driver exposes the OutputDebugString and MapViewOfFile APIs (API, defined). The OutputDebugString API enables any running application to capture keystrokes while MapViewOfFile enables any framework or application with access to MapViewOfFile API to do the same.

Since the unencrypted keystrokes are stored in a text file, forensic investigators with access to the log file (stored at C:\Users\Public\MicTray.log) could potentially recover previously saved sensitive data (a reboot or power of the device clears the file). When backups of the affected systems are performed previous versions of this file would contain further captured (and potentially sensitive) information.

Since our keyboards are used to enter all kinds of sensitive information,  emails, chat/instant message conversations, social media posts, credit card numbers etc., this vulnerability could have serious consequences If the log contents were to be obtained by cyber criminals. The file might also contain credentials (usernames/passwords for the above mentioned activities.

From the information disclosed about this vulnerability, there is evidence to suggest the driver uploads/sends the information it gathers within that log to HP, Conexant or anyone else. However if you are creating unencrypted backups within a corporate, small business or consumer environment this file over time will contain more and more information gathered over time. If someone knew you create these backups and knew where to look within them (assuming they are not encrypted), they could gather significant volumes of sensitive information.

How can I protect myself from this vulnerability?
After ModZero disclosed this information to HP, HP made available a driver update (version 10.0.931.90) which removes the keylogging behavior. Moreover, the driver update will be made available via Windows Update for both 2016 and 2015 HP devices. HP Vice President Mike Nash clarified the logging feature of the driver was simply debugging code (defined) inadvertently left within the driver.

If you followed the steps above to check if your device was vulnerable but there is no driver update available, the same BleepingComputer article describes how to mitigate the vulnerability.

Thank you.

Google offers financial and technical support to open source projects

Early last week Google shared their results after beginning a project to fuzz (defined) test open source software (defined). Their project is currently processing 10 trillion test cases per day. Open source projects involved in this initiative include GNUTLS, BoringSSL, FFMpeg, JSON, Libpng, LibreOffice, LibSSH, OpenSSL and Wireshark (among many well-known others).

What is the purpose of their project?
The purpose of fuzzing is to repeatedly and thoroughly test how robust/secure the code of the enrolled open source projects is. More than 1000 bugs have found so far (approximately264 of which were potential security vulnerabilities).

As Google points out, this also helps to increase the reliability of the software being created since regressions (defined) are fixed within hours before they ever affect a user. Another aspect of this is other software bugs e.g. logic errors can be detected and corrected sooner.

In return for a project signing up to this initiative, Google have pledged to provide extra funding:

$1,000 USD for initial integration of the OSS-Fuzz tests into their development process

Up to $20,000 USD for ideal integration (an itemised list of how this figure is obtained is detailed here).

How this project become to be developed?
I have mentioned the Core Infrastructure Initiative (CII). on this blog before. This fuzzing project was created with assistance from the CII to benefit projects critical to the global IT infrastructure. This project is in progress alongside Project Wycheproof (with its objective to strengthen cryptographic implementations by having new implementations pass a series of tests to verify they are not affected by these particular implementation issues being checked for).

How does this project help the wider industry/community?
With projects such as those mentioned above used by large corporations, small business and consumers alike; the regular feature/security updates we all receive make these projects more stable and secure than they otherwise would be. The outcomes will be very similar to that of Pwn2Own.

With these benefits for the projects as well as all of their users, I hope projects such as this continue and expand in scope as time progresses.

Thank you.