On 05/02/2017 11:37 AM, David Hobach wrote: > > > On 05/02/2017 07:25 AM, Vít Šesták wrote: >> * I wonder what does “exploitable locally” mean. If physical access >> is required, I am not sure what would attacker gain (AEM bypass at >> most, I guess). If it allows unprivileged user to elevate privileges, >> this might be interesting for Qubes, depending on the attack vector: >> If it requires attack over network interface, then sys-net can >> perform it. > > @remotely: > sys-net probably does not protect you here as Intel AMT (ME) runs even > on top of the OS (Xen/Qubes). So it just captures all Intel management > traffic directly in cooperation with your Intel chipset ethernet card > and forwards it to the ME chipset - it never goes the regular way [3]; > admittedly, it depends on Intel's implementation of VT-d. I guess they > ignored Vt-d for ME though... ah yes, they likely did: "ME’s desire > for accessing the host memory cannot be constrained in any way, on the > other hand, not even by VT-d." [1] > > @locally: Not sure whether sys-net helps with AMT enabled. After all > an attacker might be able to route packets to your sys-net VM (--> > =remotely)? > The local forwarding service from [2] is probably not enabled in your > sys-net though, so that's a plus. > > Maybe we'll see a QSB sooner or later... Just my 5 cents. > > [1] https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf > [2] > https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075 > [3] https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ >
Local access issues aside for a moment, it sounds like if you can externally block the affected network ports, then you can also mitigate this that way. That could be done on the router level, but may not stop someone on the same subnet as you from getting at your machine that way (nor if your router is compromised). Someone here suggested an Ethernet condom, and I actually think there might be some merit to it. Maybe this is where those pocket routers (ideally with upgradable open-source firmware) with both wifi and ethernet ports can come in. A private, external firewall that connects to the network, rather than your machine doing so directly, with rules to block those ME management ports and other high-risk ports just for your machine. It's sad that we may be at that point, however, where we need to seriously consider external hardware blockers for all sorts of ports like USB, HDMI, etc, just to protect our devices. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oeakct%243sv%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
