On Tuesday, May 2, 2017 at 2:50:24 PM UTC-4, Reg Tiangha wrote: > On 05/02/2017 11:37 AM, David Hobach wrote: > > > > > > On 05/02/2017 07:25 AM, Vít Šesták wrote: > >> * I wonder what does “exploitable locally” mean. If physical access > >> is required, I am not sure what would attacker gain (AEM bypass at > >> most, I guess). If it allows unprivileged user to elevate privileges, > >> this might be interesting for Qubes, depending on the attack vector: > >> If it requires attack over network interface, then sys-net can > >> perform it. > > > > @remotely: > > sys-net probably does not protect you here as Intel AMT (ME) runs even > > on top of the OS (Xen/Qubes). So it just captures all Intel management > > traffic directly in cooperation with your Intel chipset ethernet card > > and forwards it to the ME chipset - it never goes the regular way [3]; > > admittedly, it depends on Intel's implementation of VT-d. I guess they > > ignored Vt-d for ME though... ah yes, they likely did: "ME’s desire > > for accessing the host memory cannot be constrained in any way, on the > > other hand, not even by VT-d." [1] > > > > @locally: Not sure whether sys-net helps with AMT enabled. After all > > an attacker might be able to route packets to your sys-net VM (--> > > =remotely)? > > The local forwarding service from [2] is probably not enabled in your > > sys-net though, so that's a plus. > > > > Maybe we'll see a QSB sooner or later... Just my 5 cents. > > > > [1] https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf > > [2] > > https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075 > > [3] https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ > > > > Local access issues aside for a moment, it sounds like if you can > externally block the affected network ports, then you can also mitigate > this that way. That could be done on the router level, but may not stop > someone on the same subnet as you from getting at your machine that way > (nor if your router is compromised). > > Someone here suggested an Ethernet condom, and I actually think there > might be some merit to it. Maybe this is where those pocket routers > (ideally with upgradable open-source firmware) with both wifi and > ethernet ports can come in. A private, external firewall that connects > to the network, rather than your machine doing so directly, with rules > to block those ME management ports and other high-risk ports just for > your machine. It's sad that we may be at that point, however, where we > need to seriously consider external hardware blockers for all sorts of > ports like USB, HDMI, etc, just to protect our devices.
What do you mean by pocket router? Is this like a cheap little router to dongle off your pc? it seems interesting because I definitely can't trust my home router at all... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9d3929c-e5a1-4aff-b459-a04387fa3a2f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
