Intel patches remote hijack bug that hid in chips for seven years
Intel has patched a privileged escalation bug in its chips’ remote management feature that could be exploited by an attacker to breach networks.
On 1 May, Intel’s security center confirmed that the “critical” escalation of privilege vulnerability affects its Intel Standard Manageability (ISM), Intel Small Business Technology, and Active Management Technology (AMT) firmware. The flaw resides in those products’ firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. It does not exist on consumer-based PCs.
Just as a little perspective, AMT is a type of technology that allows IT departments to manage client systems. It works by redirecting all packets sent to the machine’s wired network port on port 16992 or 16993 to the ME and then the AMT. This tech, in turn provides a web UI for rebooting the machine and carrying out other remote functions.
AMT requires a password. But by exploiting this vulnerability, an unauthenticated network attacker could gain system privileges to the AMT or ISM technology. From there, they could abuse their privileges to reboot the system and examine drive contents.
That’s not even the worst part. Linux kernel expert Matthew Garrett elaborates:
“AMT supports providing an ISO remotely. In older versions of AMT (before 11.0) this was in the form of an emulated IDE controller. In 11.0 and later, this takes the form of an emulated USB device. The nice thing about the latter is that any image provided that way will probably be automounted if there’s a logged in user, which probably means it’s possible to use a malformed filesystem to get arbitrary code execution in the kernel. Fun!”
Concurrently, an unauthenticated local attacker could provision manageability features and gain network or local system privileges to AMT, ISM, and SBT.
The remote management features that contain the critical flaw have shipped with Intel processors since 2010.
As The Register points out, as the vulnerability lies in a devices’ chips, it lurks out of sight of the operating system and is invisible to anti-virus products.
To help protect its customers, Intel recommends that sysadmins first determine whether they’re running AMT, ISM, and SBT on their machines. If they aren’t, they don’t need to do anything else. They’re safe. If they are potentially at risk, however, they should utilize this Detection Guide to determine if they’re affected by the vulnerability.
Assuming a machine is vulnerable, sysadmins should look out for the following firmware versions that plug the hole:
- First-gen Core family: 184.108.40.20635
- Second-gen Core family: 220.127.116.1172
- Third-gen Core family: 18.104.22.16808
- Fourth-gen Core family: 22.214.171.12424 and 126.96.36.19912
- Fifth-gen Core family: 10.0.55.3000
- Sixth-gen Core family: 188.8.131.5201
- Seventh-gen Core family: 184.108.40.20664
The availability of those updates, however, has everything to do with when a machine’s manufacturer releases the firmware versions. Sysadmins without access to those fixes should go and bug their manufacturers for an estimate of release. In the meantime, they can implement these mitigations.