That tells you something about what their internal, security reviews were like. Probably just a job posting that was there for HR or legal but never actually filled. ;)
I, unlike many developers, will admit to being Bad at both.
I have a forgiving “make it” mindset.
I’m so focused on making, on mentally stretching over the unimplemented gaps to take something that doesn’t exist to something that might work… that I struggle to re-orient on looking for the unimplemented gaps to break them, to looking for the corner cases where I can insert a lever and twist.
The difference between myself and the average corporate “security” reviewer… is I know I’m crap.
The absolute best tool I have come across for aiding that re-orientation is threat modelling…..
Sadly, it seems to be pitifully under utilized.
The usual corporate directive is “Make it Secure”.
Which is utterly meaningless in the absence of a threat model.
Despite the click through “Don’t Do That” licence…. you can bet some black hats are going to be reverse engineering the detection tool and the delta’s between the versions of firmware.
Even though Intel has released a firmware update… there is still another huge hurdle. If I understand things correctly, this firmware is a blob within the bios firmware. ie. Your motherboard manufacturer needs to release an updated version (containing Intel’s blob) of their particular version of the bios.
Sysadmins all around the world then need to get around to reflashing their bioses… (ps: When last did you ever reflash your bios….)
Of course a compromised ME could tweak things so detection tool returned “This system is not vulnerable.”
I don’t speak CPU low level stuff very well, but IIRC the Management Engine was the thing that MINIX was used in. One of those vulns references the kernel—is that MINIX here?
Lenovo provides a CD image for bios updates, but for some reason a “chipset” update doesn’t count. My guess is he update goes through the ME interface driver, and intel only provided windows code for that.
NB: This is a cumulative update and is not an in-depth review.
Some twitter commentary from Matthew Garrett https://twitter.com/mjg59/status/932732774284328960
That tells you something about what their internal, security reviews were like. Probably just a job posting that was there for HR or legal but never actually filled. ;)
Like testing, security takes a special mindset.
I, unlike many developers, will admit to being Bad at both.
I have a forgiving “make it” mindset.
I’m so focused on making, on mentally stretching over the unimplemented gaps to take something that doesn’t exist to something that might work… that I struggle to re-orient on looking for the unimplemented gaps to break them, to looking for the corner cases where I can insert a lever and twist.
The difference between myself and the average corporate “security” reviewer… is I know I’m crap.
The absolute best tool I have come across for aiding that re-orientation is threat modelling…..
Sadly, it seems to be pitifully under utilized.
The usual corporate directive is “Make it Secure”.
Which is utterly meaningless in the absence of a threat model.
TLDR: multiple buffer overflows in Intel CSME including with remote vector
I don’t speak CPU low level stuff very well, but IIRC the Management Engine was the thing that MINIX was used in. One of those vulns references the kernel—is that MINIX here?
At least for the ME portions of the review, likely yes.
Sooo, how do folks patch their Intel firmware (e.g., ME, UEFI) if they don’t run windows? :/
Lenovo provides a CD image for bios updates, but for some reason a “chipset” update doesn’t count. My guess is he update goes through the ME interface driver, and intel only provided windows code for that.