Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SuperMicro X11SSi-LN4F + pfSense + Intel ME Bug

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 605 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slu
      last edited by

      Hi,

      my pfSense box is based on SuperMicro X11SSi-LN4F which is affected by the Intel ME bug.
      Is this a security problem from WAN side?

      pfSense make only PPPoE connection to the WAN, there should no way from WAN to access the Intel ME, true?

      pfSense Gold subscription

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Hello, as I was reading it from 4 websites right now two things must be given that your device will be
        able to attack with a bad result for you. First of them is the firmware version shown by that tool shown
        under the download link above and the second point that must be given is the following, the ME unit
        must be enabled and configured or better so called "provisioned"!

        Your SuperMicro X11SSi-LN4F supports supports the following CPUs;
        (fat marks)

        • Intel® Celeron®
        • Intel® Pentium®
        • Intel® 7th/6th Generation Core i3 series
        • Intel® Xeon® Processor E3-1200 v6/v5 series

        Please have a look at the Supermicro website for the following two things;

        • BIOS update or latest BIOS version
          Install the lastest BIOS and have a look into the change log or release notes for ME bug fixes and patches
        • IPMI update or the latest BMC/IPMI firmware version
          Install the lastest BIOS and have a look into the change log or release notes for ME bug fixes and patches

        Connect another HDD/SSD to your Mainboard and boot from there an installed Windows 7,8,8.1 or 10
        and download the Intel tool shown under the link below, and run a test please.
        Intel SA-00075 detection and mitigation tool

        You will be getting out something like this here shown in the code block, it is copied over from the bigger Qotom thread
        because there were also some persons testing their equipment over. Then have to watch out for the following entries;

        Version: 10.0.25.1048

        Based on my information it should be updated, because it is under the version number 3000 (<3000).
        The last four numbers are counting to get this information! Let us imnagine the ME version on your
        device will be shown as "11.6.27.3264" the it is counting as 3264 and this is over 3000 and save
        or an updated version that is not able to attack!

        Provisioning Mode: Not Provisioned

        But the other point is, that your device is not provisioned and that means;
        Based on the both ME functions variants named "Active Management Technology" (AMT) and "Intel
        Standard Manageability" (ISM) are attackers able to get over or using the network higher access rights,
        if that remote function is activated and configured (provisioned), yours is not provisioned!!!
        Security holes in many Intel systems since 2010 (german language)

        Risk Assessment
Based on the analysis performed by this tool, this system is not vulnerable; the ME SKU is not affected.

Explanation: 

If Vulnerable, contact your OEM for support and remediation of this system. 
For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689
or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075

INTEL-SA-00075 Detection Tool
Application Version: 1.0.3.215
Scan date: 2017-11-24 15:09:59

Host Computer Information
Name: DESKTOP-L7VJDFJ
Manufacturer: To be filled by O.E.M.
Model: To be filled by O.E.M.
Processor Name: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
Windows Version: Microsoft Windows 10 Education

ME Information
Version: 10.0.25.1048
SKU: Consumer
Provisioning Mode: Not Provisioned
Control Mode: None
Is CCM Disabled: True
Driver installation found: True
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent
Is SPS: False

        The ME unit is able to be completely deactivated or it is working in one of three available called
        "function modes" called "AMTSKU" from the SCS-Tool;

        • Intel Full AMT Manageability
        • Intel Standard Manageability
        • Intel Small Business Advantage (SBA)

        If you are finding behind your firewall such devices that are effected too, you may block port at the
        firewall to prevent them to be attacked. (16992, 16993, 16994, 16995, 623 and 664), disable
        the ME function in the BIOS and/or update the BIOS and firmware too if you will be sorted right
        from the vendor, it must or should be showing then a number (the last four) over 3000 (>3000)
        this all will be able to help you out. On Windows based systems where nothing else will be nice
        helping out, you could also try out to deactivate the Local Manageability Service (LMS).

        my pfSense box is based on SuperMicro X11SSi-LN4F which is affected by the Intel ME bug.

        How do you find this out? Did you perform this test already?

        Is this a security problem from WAN side?

        The picture (from Intel) below is showing the "way" inside bypassing your overlying OS
        and it will be passing through without to be stopped then as I am informed. (Picture below)

        Sources:
        Intel patches remote hijacking vulnerability that lurked in chips for 7 years
        Remote access bug in Intel AMT worse than we thought, says researcher
        Sicherheitslücke in vielen Intel-Systemen seit 2010
        Tipps zur Intel-ME-Sicherheitslücke SA-00075

        ![ME bug picture around the OS.jpg](/public/imported_attachments/1/ME bug picture around the OS.jpg)
        ![ME bug picture around the OS.jpg_thumb](/public/imported_attachments/1/ME bug picture around the OS.jpg_thumb)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.