Updated: Since the below-reported vulnerability is highly critical and it would take a few weeks for sysadmins to protect their enterprise network, the research team has not yet disclosed the technical details of the vulnerability.
Meanwhile, I have talked with Maksim Malyutin, a member of Embedi research team who discovered the vulnerability in March, and updated my article based on the information provided by him.
A critical vulnerability has been discovered in the remote management features on computers shipped with Intel processors for past seven years (and not decade), which could allow attackers to take control of the computers remotely, affecting all Intel systems, including PC, laptops, and servers, with AMT feature enabled.
As reported earlier, this critical flaw (CVE-2017-5689) is not a remote code execution, rather Malyutin confirmed to The Hacker News that it’s a logical vulnerability that also gives remote attackers an opportunity to exploit this bug using additional tactics.
This elevation of privilege bug resides in the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.
These remote management features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise.
Since these functions are present only in enterprise solutions, and mostly in server chipsets, Intel claims that the vulnerability doesn’t affect chips running on Intel-based consumer PCs.
But Malyutin told us that “Intel-based consumer PCs with official support of Intel vPro (and have Intel AMT feature enabled) could also be at risk,” and “there is also a chance of attacks performed on Intel systems without official Intel AMT support.”
According to the Intel advisory, the vulnerability could be exploited in two ways:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.
How Bad is this Vulnerability
In short, a potential attacker can log into a vulnerable machine’s hardware and silently perform malicious activities, like tampering with the machine, installing virtually undetectable malware, using AMT’s features.
The PC’s operating system never knows what’s going around because AMT has direct access to the computer’s network hardware. When AMT is enabled, any packet sent to the PC’s wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.
These insecure management features have been made available in various, but not all, Intel chipsets from almost past seven years, starting from vPro-capable 5-series chipsets.
“Systems affected by this vulnerability are from 2010-2011 (not 2008, as was mentioned in some of the comments) because Intel manageability firmware version 6.0 and above was made not earlier than 2010,” Embedi’s brief post says.
“There is also a chance of attacks performed on Intel systems without Intel AMT support.”
Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.
Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.
Affected Firmware Versions & How to Patch
The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.
Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.
The chipmaker is recommending vulnerable customers install a firmware patch as soon as possible.
“Fixing this requires a system firmware update in order to provide new ME [management engine] firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix,” CoreOS security engineer Matthew Garrett explained in a blog post. “Anyone who ever enables AMT on one of these devices will be vulnerable.”
“That’s ignoring the fact that firmware updates are rarely flagged as security critical (they don’t generally come via Windows Update), so even when updates are made available, users probably won’t know about them or install them.”
Malyutin told The Hacker News that they would release more technical details about this flaw in upcoming days, including different attack vectors for successful exploitation. We will update this article accordingly. Stay Tuned!