On Mon, 1 May 2017, Vít Šesták wrote: > * I wonder what does “exploitable locally” mean. If physical access is > required, I am not sure what would attacker gain (AEM bypass at most, I > guess). If it allows unprivileged user to elevate privileges, this might > be interesting for Qubes, depending on the attack vector: If it requires > attack over network interface, then sys-net can perform it. If it > involves ME software for the OS (maybe for accessing the MEI PCI > device), we should be adequately isolated on Qubes. I hope that Qubes > adds some protection in any case and it is not exploitable from other > VMs than sys-net.
The PDF from Intel linked earlier was pretty clear on this locally exploitable thing (when one connects the dots). It states "Disable LMS services" which according to description listens on some ports and forwards that traffic to ME/AMT (supposedly using the PCI interface). The reason for that is that ME/AMT has a fancy filter in NIC that automatically captures only incoming packets to enable remote administration (without host OS knowing anything about them) BUT a local machine/user cannot send incoming packets as it would require loopbacking eth cable. To make (some?) ME/AMT capabilities available locally, LMS seems to provide a cludge that forwards those local requests to ME/AMT using the local PCI device which allows an attacker to reach the vulnerable ME/AMT. The document also stated that one should prevent re-enabling LMS and that admin has necessary rights to exploit so it doesn't matter whether such user can reinstall LMS or not (LMS is a Windows service anyway but without much doubt, the attack would also work in Linux too if the attacker can access the MEI PCI device). However, it remains unclear how an ME/AMT exploit adds to what admin already can do (probably nothing that significant really). -- i. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1705021006180.2118%40melkinpaasi.cs.helsinki.fi. For more options, visit https://groups.google.com/d/optout.
