Critical Flaws in Computers Leave Millions of PCs Vulnerable

Discussion in 'Hardware Components and Aftermarket Upgrades' started by Dr. AMK, Nov 21, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,639
    Messages:
    19,996
    Likes Received:
    24,819
    Trophy Points:
    931
    The article has a few things wrong, the Apple CVE number is CVE-2018-4251, and the Razer bug discovered in February is an Intel Management Engine Manufacturing Mode bug over a year old. Here's a more accurate article:

    Razer issues fix for well-known Intel ME firmware vulnerability
    Problem was discovered in Blade models in February but has existed in Intel motherboards for at least a year
    By Cal Jeffrey on April 8, 2019, 3:14 PM
    https://www.techspot.com/news/79557-razer-issues-fix-well-known-intel-firmware-vulnerability.html

    "Why it matters: Razer’s has finally addressed a security vulnerability in its Blade gaming laptops. The flaw was discovered in some Intel-based computers last year. The security risk can allow malware to burrow deep into the system.

    The flaw, listed as CVE-2018-4251, was initially discovered on Apple laptops prior to macOS 10.13.5. The vulnerability involves Intel’s ME Manufacturing Mode, which is part of the motherboard firmware. Apple found and patched the security hole last year.

    However, last month security researcher Bailey Fox publicly reported the flaw persists in Razer computers. After struggling for over a month privately through HackerOne to get the company to acknowledge the problem, Fox took to Twitter to get the company’s attention.

    "After trying for a month to get this dealt with via HackerOne, I'm bringing this public," Fox said. "All current Razer laptops are shipped in Intel Manufacturing Mode, and have full R/W on the SPI flash. This is a direct repeat of CVE-2018-4251. This is still not fixed."

    Hey! Thanks for mentioning us. Our Systems Team would like to check on this. Could you please tell us more about the challenges with your Razer laptop via DM and we'll take it there.
    — RΛZΞR Support (@RazerSupport) March 21, 2019

    The move worked as Razer’s support team quickly responded asking Fox to describe the problem in a private direct message.

    Manufacturing Mode is used by Intel for configuring settings like boot verification. If left open, malware can take control, setting up the system to allow other vulnerabilities like Meltdown to be exploited. Worse yet, malware and configurations can be burned to the firmware allowing it to go undetected by anti-virus software, as well as allowing it to persist after formatting the hard drive or performing a factory reset. There is no end user use for Manufacturing Mode, so it should not even be included in the mobo firmware.

    Last week, Razer acknowledged the problem and has issued a fix.

    “Razer has been alerted to certain Intel Management Engine vulnerabilities in the Intel chipsets of several Razer laptop models,” a spokesperson told The Register. “To address this issue, Razer laptops will ship from the factory with an update to remove these vulnerabilities. For currently shipped products, Razer has provided a software tool to apply this update.”

    The affected devices include several Blade models. If you currently own a Razer laptop, you should check out the company’s step-by-step manual on the issue, which also contains a link to the patch."
     
    Last edited: Apr 9, 2019
    Dr. AMK and Vasudev like this.
  2. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,576
    Likes Received:
    5,651
    Trophy Points:
    681
    How do you find out if the manufacturer has stopped releasing updates for the router? It could be that the router never required any BIOS updates, or for example maybe only one BIOS update close to release date or something - in that case how do you know when the manufacturer has stopped supporting that model?
    For that last point, that's an interesting one - flashing custom BIOS. Do you mean DD-WRT? https://www.flashrouters.com/learn/router-basics/what-is-dd-wrt
    I don't have any experience with that, although I have just googled it just now, and it looks like my exact router model is not supported:
    https://dd-wrt.com/support/router-database/
    Thing is those custom BIOS aren't guaranteed or don't have the latest security updates do they?
     
    Dr. AMK and Vasudev like this.
  3. tilleroftheearth

    tilleroftheearth Wisdom listens quietly...

    Reputations:
    4,835
    Messages:
    12,263
    Likes Received:
    2,294
    Trophy Points:
    631
    Routers don't really require any BIOS updates (even though some manufacturers call them that) what should be continually be patched is their O/S (firmware) and the Linux packages they include with them and depend on to reliably run.

    Just like a Windows system frozen in time, it will eventually be open to more and more exploits as time goes on. If continuous updates are not issued for the firmware on any specific model on a regular basis.

    Depending on which version/fork of DD-WRT (and others) is used, will depend on how up-to-date it is patched with regards to security. Most are miles ahead than stock firmware from most of the consumer/prosumer lineups. Even otherwise solid systems like robust pfSense setups are able to be caught off guard with certain exploits (from within and from without) an otherwise secure/locked down network. Many such exploits make the news.

    Here is one site that keeps track of CVE's:

    See:
    https://www.cvedetails.com/vendor/16/Cisco.html


    If I see a commercial router without a firmware update within a quarter (and there are known/discovered issues for similar models/OS's/chipsets), I would be immediately shopping for a new router. If I didn't already have one or more in testing, waiting to be deployed.

    I don't take security for granted. I don't expect the manufacturer to hold my hand either. I make it a point to regularly check for such updates and may even implement some of them myself (if possible), while I wait for the official response, from the hardware vendor of my choice. How regularly I check and take my networked computers off-line is proportional to the risk potential of the exploit I want to minimize. And they are off-line a lot.

    (Test, verify, test again, rinse and repeat a few more times, only then, turn on the internet pipe).

    Anything I need to get done online at that point I have a few options (i.e. different locations, w/different network topology, from different vendors + WAN/LAN chipsets) to choose from. And I take advantage of that fully. Cellular/Satellite connects have come in handy at times.

    The best systems for online security are ones which you roll on your own. Code every line, lock down every exception and do it twice and three times over. Yeah, even at the cost of and usually in spite of mere convenience and maximum performance 'scores' for the network being protected. The security here doesn't come from merely exceptional programming/networking skills. It comes from the fact that it is designed, created and used in a way that as a whole, it can't be bought, dissected and/or analyzed. And that makes it exponentially more secure than any well-known system out there, no matter what the cost and purported security such a commercial system may offer.

    I've stated many times in these forums that if I put mine or my client's data on an HDD/SSD, it never leaves my control. Not for warranty, not for refunds, not for any reason. (I'll hand one over, just give me a minute and a hammer and I'll give you some data-dust).

    The processes, systems, and networks are even more protective of that data. ;)


     
    Papusan, Dr. AMK, Vasudev and 2 others like this.
  4. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,576
    Likes Received:
    5,651
    Trophy Points:
    681
    Thanks very much for that cvedetails link! I checked the list of products on there, and it doesn't list my router, is that because they don't list all routers (I've got TP link) - they do list TP link but not my model - does that mean there are no security vulnerabilities discovered for it yet or they've not listed it for other reasons? TP-Link seem to be quite secure according to that website, and of the few tp-link products I clicked on it was showing as "Remote" being the means of infection - and I'm thinking if you have remote management disabled then you're good to go. I see the value of what you're saying about checking that website for vulnerabilities & then seeing if your router is covered. My last firmware update was late 2016, and that's the initial release of the firmware.

    I spoke through online text chat with TP-Link support just now, to find out if my router is still supported/considered re firmware security updates - they say it is. I did ask them where I could look in the future to see if it's supported or not & they couldn't provide me with an adequate answer - I got the impression they just wanted to end the chat because they didn't know! They gave me conflicting information, first they gave me a link just to the front page of the tp link website, and then when I laughed at that they gave me a link to the tplink forums. It was nigh on possible to find out from those forums if a model is supported or not. TP Link need to provide better & more transparent info about which models of router are phased out & end of life.

    You are far more security conscious than me, but it does seem that you need to be in your line of work - I'm just a home user. What business are you in for your clients, and it's ok if you don't want or can't say?

    (EDIT: found a complete listing of TP link products on that CVEdetails website, my router still not listed).

    EDIT#2: Yeah, pretty much all of the vulnerabilities are accessed through remote management: https://www.cvedetails.com/vulnerab...&sha=35781d9525571cd66feb101a1896e97c0bad1d33
     
    Last edited: Apr 10, 2019
    Dr. AMK and Vasudev like this.
  5. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,370
    Messages:
    10,403
    Likes Received:
    7,669
    Trophy Points:
    931
    Intel MEI?
     
    Dr. AMK likes this.
  6. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,370
    Messages:
    10,403
    Likes Received:
    7,669
    Trophy Points:
    931
    I bought a cheap netgear dual band router and it was already out since 2 years. Once I heard it was affected by KRACK, I emailed Netgear asking if there was a fix and the rep said they were working on it and all models will receive the patches. In fact they updated the firmware with KRACK fixes and solved peformance issues. Rep from netgear said there's 5 yr of security FW updates regardless of any models even on EOL list. I even have a 2 yr warranty active on the router though 90 day phone/email premium support has ended.
     
    hmscott, Dr. AMK and Robbo99999 like this.
  7. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,576
    Likes Received:
    5,651
    Trophy Points:
    681
    That's good. Yes, my next router purchase I'll research to find one that has good support as well as a compatibility with open source firmwares like DD-WRT, which extends the life/functionality too.
     
    Dr. AMK and Vasudev like this.
  8. tilleroftheearth

    tilleroftheearth Wisdom listens quietly...

    Reputations:
    4,835
    Messages:
    12,263
    Likes Received:
    2,294
    Trophy Points:
    631
    You're welcome. The link I provided doesn't necessarily list all models. ;)

    I don't deal with TP-Link, their products are not on my radar. Of the consumer routers currently available, Asus has certain models that stand out. They (Asus) have come amazingly far in such a short time in this relatively new, to them, field.

    If I had a router that was last updated in 2016, I would be buying all new devices that have ever touched my network (or at the very least securely doing a fresh/clean O/S install on each one). It does seem that TP-Link is following in Netgear's footsteps by abandoning their devices when an upgraded/new model comes along too. That response from 'support' is another reason for me to drop that router, if not the whole company for my routing needs. :p :rolleyes:

    And me? I'm just a photographer. :D

    Well, maybe a bit more than just that. ;)


    See:
    https://arstechnica.com/information...lnerable-to-hacks-that-steal-wi-fi-passwords/


    The link above shows why security isn't something that is one and done. Now, the hackers are already able to break future tech.

    This is why you don't believe marketing, buzzwords and other, over-the-top hype. Because that is all it is until proven otherwise. Most of the time, the proof never comes (at least, nowhere close to the date of introduction of the product/service/process/etc.).

    It is also why you don't leave a working setup for a 'better' one either. Not without testing in parallel and long term, in your actual, not 'estimated', or 'close enough', usage. And that's when you're considering another option that has been available for 'forever', already. With all its known quirks and issues.

    With a newborn tech? Step lightly, you're most likely to sink. Fast, and out of control too.

    I'll repeat that warranty and lipservice 'support' and other such nonsense doesn't mean squat.

    And once more I'll repeat the best security possible is don't be online (or have your data/devices/etc.) online if you don't have to. Yeah, and there is very little you can't do without having your data online with you too. ;)



     
    Papusan and Robbo99999 like this.
  9. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    3,993
    Messages:
    6,576
    Likes Received:
    5,651
    Trophy Points:
    681
    Yeah, I probably won't buy another T-P Link router. I'd want one which is compatible with that open source firmware we were talking about - to extend the life. I'd probably also buy one from a company that is clear on how long they support their models for - in terms of updates.

    You're way more security conscious than me, I'm gonna keep my router for the time being for example, I do use strong passwords though, switch off remote management & Plug & Play.
     
    Papusan and tilleroftheearth like this.
  10. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    2,912
    Messages:
    1,905
    Likes Received:
    4,019
    Trophy Points:
    281
    Major flaw discovered using Internet Explorer to snoop or steal files


    How to remove Internet Explorer 11 from Windows 7 and Windows 10 PCs
     
    hmscott likes this.

Share This Page