Intel's zero-day problem

Posted May 4, 2017 9:29 UTC (Thu) by arekm (guest, #4846)
Parent article: Intel's zero-day problem

> every recent Intel CPU contains a second, internal CPU

> the "second processor" to which Greve referred. It is present on all Intel's current chipsets

Is the second cpu in (intel) cpu or in (motherboard intel) chipset?

Intel's zero-day problem

Posted May 4, 2017 9:37 UTC (Thu) by zdzichu (subscriber, #17118) [Link] (2 responses)

According to Wikipedia, the second CPU is in chipset: https://en.wikipedia.org/wiki/Intel_Active_Management_Tec...

For the record, AMD equivalent of this (Platform Security Processor) is actually an ARM core embedded in x86_64 CPU itself.

Intel's zero-day problem

Posted May 4, 2017 16:21 UTC (Thu) by rahvin (guest, #16953) [Link] (1 responses)

Specifically: (this is all from Wiki using the parent link)

>Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge, following the Memory Controller Hub (MCH) layout.[37] With the newer Intel architectures (Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH).[38][39]

The vulnerable processors are Nehalem (2008) and above, this means all vulnerable systems are the ones using the PCH, the replacement for the old north/south system after the northbridge was incorporated into the CPU. This is the largest chip on the motherboard that's not the CPU. Thank you for posting this, I was under the impression the ME was incorporated into the firmware on the CPU.

For those that are curious what the mangement engine can do:

Hardware-based AMT features on laptop and desktop PCs include:

Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
Remote power up / power down / power cycle through encrypted WOL.
Remote boot, via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN (SOL).
Keyboard, video, mouse (KVM) over network.
Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
OOB alerting.
Persistent event log, stored in protected memory (not on the hard drive).
Access (preboot) the PC's universal unique identifier (UUID).
Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
Protected Audio/Video Pathway for playback protection of DRM-protected media.

Laptops with AMT also include wireless technologies:

Support for IEEE 802.11 a/g/n wireless protocols
Cisco-compatible extensions for Voice over WLAN

Oh and the ME is active even if the PC isn't powered on.

Intel's zero-day problem

Posted May 6, 2017 8:14 UTC (Sat) by marcH (subscriber, #57642) [Link]

> This is the largest chip on the motherboard that's not the CPU. Thank you for posting this, I was under the impression the ME was incorporated into the firmware on the CPU

It's not very clear what you meant here by "firmware".

Actually, if you hadn't given context then "CPU" wouldn't have been very clear either. I think you meant "SoC".

From https://en.wikipedia.org/wiki/Central_processing_unit
> An IC that contains a CPU may also contain memory, peripheral interfaces, and other components of a computer [like... some Management Engine?]; such integrated devices are variously called microcontrollers or systems on a chip (SoC).