What is ECMA on Ethernet controller advanced settings?

Solution 1

It's almost certainly ECMA-393 "proxZzzy" sleep proxy service in the NIC. It allows the host to sleep while the NIC stays awake, and the NIC can do things like respond to ARPs and other simple jobs to keep the host "visible" on the network even while it sleeps. If some important traffic comes in for the host, the sleep proxy service in the NIC can wake the host so the real OS can do the right thing to handle the traffic.

Solution 2

Read https://www.ecma-international.org/publications/files/ECMA-ST/ECMA-393.pdf

ProxZZZy was developed by Intel. Source Look at the data sheets to find out what protocols your lan/wifi card used or you can find out if its available and enabled on your adapter in Windows and disable it under your adapters advanced settings "ECMA." Make sure you do this in linux as well. Disabling ProxZZZy and 'Wake on Lan' will prevent "denial of sleep attacks" and possibly mitigate against other potential unforeseen vulnerabilities.

Intel's ProxZZZy also allows for remote access protocols, what has been described in the above document as "wake up" protocols; while the ECMA admit Intel's ProxZZZy can be hijacked, they do not provide all the data and security risks that are present. It remains to be determined if disabling Intel's ProxZZZy at the software level effectively mitigates hardware level exploitation. An on an already compromised host, software mitigation's would be futile, as attackers could simply re-enable the hardware level attack vector.

There are other standards, such as Microsoft Wake on Lan, Magic Packet, and others which provide similar functionality; On every Intel chipset designed since 2006 Intel Management ensures the onboard Network card remains irreversibly enabled and active while the computer is turned off and allows total remote control and exploitation of users PCs, critical infrastructure and all the rest Source 1, Source2; As of the time of this post, users of Intel chipsets are forced to buy new products or wait for Intel to release updated firmware. The cat and mouse game goes on ad infinitum until it is totally disabled. Intel's ProxZZZy looks be as dangerous as Intel ME.

---

From the document:

4.2 proxy, network proxy:

An entity that maintains network presence for a sleeping higher-power host (The proxy is the man in the middle; you are the host)

If your Network card supports Intel's ECMA-393 proxZZZy™ for sleeping hosts; the following can occur!

A.2 Security Considerations; according to its designers:

This Standard does not specifically address Security concerns arising out of the proposed proxy protocol design. However, a number of potential threat scenarios have been identified and potential mitigation is suggested below.

• Denial of Sleep Attack – It is possible that an adversary may send periodic unauthenticated end-to-end packets to the proxy, denying the system from entering or staying in the Sleep state. This can be partially mitigated by using defense mechanisms (Firewalls, Intrusion Detection and Prevention systems), either externally and/or as part of the system.

• Compromised Proxy – It is possible that an adversary may assume control of the proxy and use the Proxy to launch attacks on the system, on the network, or on other Internet connected machines. This can be partially mitigated by using System measurement techniques for ensuring the integrity and robustness of the software/firmware/hardware that executes within the proxy.

• Subversion Attacks – It is possible that an adversary may take control of the proxy and use it to generate IP packets with Option headers that circumvent external defense mechanisms. This can be partially prevented by disallowing the proxy to generate IP packets with Options in its header.

(editor: Packet generators can be used to launch a ProxZZZy attack on any supported host, hijacking the proxy, then the proxy (which includes an embedded packet sniffer) can be turned into a rogue packet generator)

• IPsec - IPsec can be deployed in one of two modes – tunnel and transport modes. Tunnel mode is used for IPsec-encapsulation of VPN traffic where a remote client accesses one or more nodes in a trusted network via a VPN gateway. Traffic to the nodes in the trusted network is typically in-the-clear.

IPsec Transport mode is used to protect individual connections between IP endpoints within a network. In this case, each peer-to-peer connection between nodes could be protected by an IPsec Security Association (SA). The decision to protect or not is by IPsec policy, and the recommended enterprise IPsec policy is to require inbound IPsec but not require outbound IPsec. The receiver challenges the initiator to establish IPsec if needed. The visible side-effect is initial TCP connections (TCP SYN) are sent in the clear. Furthermore, under these policies, the IPsec negotiation happens in parallel with the connection request. Traffic after the initial TCP SYN, including additional retires of the TCP SYN, will likely be within IPsec, as will further traffic.

Although not the common policy, the initiator policy may also require outbound IPsec. If this is the case, the connection setup will be preceded by a probe packet to the IKE or AuthIP UDP port.

In the IPsec use case with a proxy, the initial IPv6 TCP SYN packet from the initiator used to wake the host may be encrypted by IPsec (if an existing SA matching policy has been previously negotiated between the peers). However, the expected common-case is for the initial IPV6 TCP SYN packet to be sent in the clear (by the recommended enterprise IPsec policies mentioned above). To simplify these two cases, the host should explicitly delete or invalidate existing IPsec SAs prior to going to sleep and transition to proxy mode.

If IPsec is configured to either use “shared secret” or require outbound IPsec, then the initial IPv6 TCP SYN will first be IPsec authenticated and encrypted. In either of these sequences, the wake can be from the IKE negotiation initiation. The proxy should be enabled to wake on an IKEv1/AuthIP pattern to handle this configuration.

---

The potential remote access dangers of proxzzzy

Intel's ProxZZZy gives the host Ethernet / Wifi adapter the ability to accept remote "Session initiation protocals"

---

What is a Session Initiation Protocol?

Session Initiation Protocol

Also called a SIP server or SIP proxy server, in telecommunications it is one of the main components of an IP PBX that is used by SIP to perform many of the call set-up functions. As described in RFC 3621 - SIP: Session Initiation Protocol SIP makes use of elements, called proxy servers (SIP proxy) "to route requests to the user's current location, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users".

Within the SIP network the SIP proxy actually manages the setup of calls between SIP devices including the controlling of call routing and it also performs necessary functions such as registration, authorization, network access control and in some cases it also handles network security.

IP PBX Short for Internet Protocol Private Branch eXchange, a telephone switch that supports VoIP. An IP PBX provides services similar to PBX services, but over data networks like a LAN or WAN rather than circuit-switched networks. IP PBX typically can switch calls between VoIP on local lines or between VoIP and traditional telephone users in the same way PBX does. IP PBX may also be seen abbreviated as IPPBX or IP/PBX.

---

Source: https://www.ecma-international.org/publications/files/ECMA-ST/ECMA-393.pdf

5.7 Remote Access using SIP and IPv4

In this Standard, SIP (RFC 3261) is used by a remote entity to wake a host. SIP proxies along the path can facilitate the traversal of NATs and firewalls. The reason for waking the host (i.e., the particular host application that needs to be used) is outside the scope of this Standard. SIP methods and responses used in the remote wake functionality are REGISTER, INVITE, ACK, and SIP Status Codes.

The following diagram (see above document) shows a sample SIP implementation that may be used by the proxy to wake the host. Only the messages into and out of the Device Network Proxy are included in this specification. All other messages and entities are a possible implementation and not covered by this specification.

5.8 Remote Access using Teredo for IPv6 (Teredo (RFC 4380) is an IPv6 transition technology that allows peer to peer connectivity between peers behind a NAT. The Teredo protocol encapsulates IPv6 packets inside UDP IPv4 packets. One of the tunnels a Teredo client maintains is with the Teredo server in the cloud. The proxy maintains this tunnel by sending Router Solicitation (RS) messages at regular intervals. The proxy ignores any responses from the server to the RS packet.

And what is the unobstructed out of bound communication they are referring to in their document? Surely there are many OOB applications and functions. Intel ME / AMT's remote access protocol's function in OOB. Using an aftermarket network card will bypass Intel ME OOB.

Out-of-band management

In computer networks, out-of-band management involves the use of a dedicated channel for managing network devices. This allows the network operator to establish trust boundaries in accessing the management function to apply it to network resources. It also can be used to ensure management connectivity independent of the status of other in-band network components.

About Blocking Clients and Out of Band Management, Blocking AMT-Based Computers in Configuration Manager https://technet.microsoft.com/en-us/library/ee344337.aspx

---

Intel's Prozzzy mandatory vs optional components:

IPv4 ARP Mandatory IPv6 Neighbor Discovery Mandatory DNS Option DHCP Option IGMP Option MLD Option Remote Access using SIP and IPv4 Option Remote Access using Teredo for IPv6 Option SNMP Option Service Discovery using mDNS Option Name Resolution with LLMNR Option Wake Packets Mandatory

Related videos on Youtube