For the past nine years, millions of Intel desktop and server chips have harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with spyware.
Specifically, the bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products.”
That means hackers exploiting the flaw can log into a vulnerable computer’s hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, and with local access.
These management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. Crucially, the vulnerability lies at the very heart of a machine’s silicon, out of sight of the running operating system, applications and any antivirus.
It can only be fully fixed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.
Intel’s vulnerable AMT service is part of the vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn’t provisioned, a logged-in user can still potentially exploit it.
Intel reckons this vulnerability basically affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary consumers, which typically don’t. You can follow this document to check if your system has AMT switched on.
Basically, if you’re using a machine with vPro features enabled, you are at risk.
According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you’ll have to pester your machine’s manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP.
“In March, 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT),” an Intel spokesperson told The Register in the past few minutes.
“Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible.”
Specifically, according to Intel:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
The fixed firmware versions to look out for are, depending on the processor family affected:
- First-gen Core family: 18.104.22.16835
- Second-gen Core family: 22.214.171.12472
- Third-gen Core family: 126.96.36.19908
- Fourth-gen Core family: 188.8.131.5224 and 184.108.40.20612
- Fifth-gen Core family: 10.0.55.3000
- Sixth-gen Core family: 220.127.116.1101
- Seventh-gen Core family: 18.104.22.16864
“The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole,” explained chip journo Charlie Demerjian.
“Even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network.”
Demerjian also pointed out that it’s now up to computer makers to distribute the digitally signed patches to people and IT admins to install. That means if your supplier is a big name like Dell, HP or Lenovo, you’ll hopefully get an update shortly. If it’s a white box, no-name hardware slinger, you’re likely screwed: things like security and cryptography and firmware distribution is too much work in this low-margin business.
What is AMT?
AMT is an out-of-band management tool: it lays bare complete control over a system to the network, allowing IT bods and other sysadmins to reboot, repair and tweak servers and workstations remotely. God help you if this service is exposed to the public internet.
It is supposed to require an admin to authenticate themselves before granting access, but the above bug allows an unauthenticated person to freely waltz up to the hardware’s control panel. Even if you’ve firewalled off your systems’ AMT access from the outer world, someone or malware within your network – say on a reception desk PC – can potentially exploit this latest vulnerability to drill deep into workstations and servers, and further compromise your business.
AMT is part of Intel’s Management Engine (ME), a technology that has been embedded in its chipsets in one way or another for over a decade, since around when the Core 2 landed in 2006. This software runs at what’s called ring -2, below the operating system kernel, and below any hypervisor on the box. It is basically a second computer within your computer, and it has full access to the network, peripherals, memory, storage and processors. Amusingly, it’s powered by an ARC CPU core, which has a 16- and 32-bit hybrid architecture and is a close relative to the Super FX chip used in Super Nintendo games such as Star Fox. Yes, the custom chip doing the 3D math in Star Fox is an ancestor to the ARC processor secretly and silently controlling your Intel x86 tin.
Details of Intel’s ME have been trickling out into the open over the past few years: Igor Skochinsky gave a great talk in 2014 about it, for instance. The ARC core runs a ThreadX RTOS from SPI flash. It has direct access to the Ethernet controller. These days it is built into the Platform Controller Hub, an Intel microchip that contains various hardware controllers and is connected to the main processors on the motherboard.
AMT is a black box that Intel doesn’t like to talk about too much – although it is partially documented on intel.com – and it freaks out privacy and security conscious people: no one quite knows what it is really doing, and if it can be truly disabled, as it runs so close to the bare metal in computers.
On some chip families, you can switch off ME with extreme prejudice by strategically wiping parts of the system flash.
For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel’s AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.
Finding such a bug is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password ‘hackme’, in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers. ®
Source: Packet Storm – News @ May 1, 2017 at 07:03PM