Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 813 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      battles
      last edited by

      Not knowing that much about how pfSense/pfBlockerNG works, I was wondering if pfSense somehow blocks in/out going data from Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface that bypasses the local computer's networking stack.  I am not sure how you would setup pfSense to block such computer intrusions.  It seems that if AMT/SOL can send out data, that pfSense will allow traffic to pass in both directions.

      Any insight about this?  Thanks.

      https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

      pfSense 2.3.4-RELEASE-p1 (i386)
      FreeBSD 10.3-RELEASE-p19
      pfBlockerNG 2.1.2_1
      Snort Security 3.2.9.5_3
      Intel(R) Atom(TM) CPU N270 @ 1.60GHz

      1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600
        last edited by

        I would doubt that pfSense ever sees those packages, as it seems they're routed directly to AMT.

        Have a look here.
        http://thehackernews.com/2017/06/intel-amt-firewall-bypass.html

        Seems like the best you can do is disable AMT in your Bios

        /Bingo

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • B
          battles
          last edited by

          Since my pfSense is running on an external controller, it seems that it would see it.  Reading about this further, AMT is supposedly disabled on all Intel systems and must be activated using some kind of Intel software or firmware.  I guess there isn't anything to really worry about, unless hackers have found a way to remotely activate it on other computers.  It would be nice to discover what ports AMT uses, if any, to be able to permanently block them.

          pfSense 2.3.4-RELEASE-p1 (i386)
          FreeBSD 10.3-RELEASE-p19
          pfBlockerNG 2.1.2_1
          Snort Security 3.2.9.5_3
          Intel(R) Atom(TM) CPU N270 @ 1.60GHz

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.