Intel recently announced an escalation of privilege vulnerability in the Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology firmware, versions 6 through 11.6.
Speaking about the vulnerability Cris Thomas (AKA SpaceRogue), Strategist for Tenable Network Security said, “This vulnerability has the potential of being a proverbial big one. The vulnerability has been part of the Intel chipsets for years, specifically the Management Engine (ME). The ME runs things like DRM (Digital Rights Management) and does TPM (Trusted Platform Modules) checks as well as AMT. AMT enables systems administrators to re-image bare metal machines over a remote connection. To accomplish that, the AMT requires many privileges, from network access to writing to memory and disk. The AMT is hardware and operates separately from any operating system installed on a system. Obviously, with this much power there is some protection: in this case, access to AMT is protected by a password. The vulnerability in AMT is that the password can be bypassed.”
Explaining more about AMT, Cris adds: “The vulnerability is not in all Intel chipsets, but it does heavily impact servers (not consumer PCs). If you have explicitly enabled AMT at any point, you are at risk.”
There have been very few technical details published on the vulnerability itself, other than it allows unauthenticated access to AMT. Currently, it is not known whether this vulnerability impacts all AMT installations or just those in Small Business Mode or Enterprise Mode. If it is Enterprise Mode only, then the impact to regular end users will be minimal. Enterprise Mode can be challenging to set up, and few if any home or even small business users would bother. However, if this vulnerability impacts all installations of AMT or even Small Business Mode, things will be much much worse.
AMT listens to TCP ports 16992 and 16993 to accept incoming network connections. There are already reports of people (from researchers to attackers) mass scanning the entire Internet looking for systems with these ports open.
Offering advice to manually check for supported CPU, chipset, network hardware and AMT Cris advises, “Check your BIOS [for most systems, this can be done by using CTRL-P during boot.] If you see AMT listed there, you should disable it.” To determine if have an Intel AMT, Intel SBA, or Intel ISM capable system users should review this document [https://communities.intel.com/docs/DOC-5693].
Cris continues, “AMT has been around for about the last seven years and most machines made with AMT since then could be at risk. Once you have identified the servers that are impacted by the Intel vulnerability, you should check with your vendor(s) for a patch release – firmware updates are not automatic and are specific to each manufacturer. Older systems obviously stopped receiving firmware updates years ago and most likely won’t receive a patch for this vulnerability.”
If a vendor patch has not been issued, Intel has recommended the following mitigation steps: https://downloadcenter.intel.com/download/26754
Tenable has developed plugins for its Nessus, Passive Vulnerability Scanner(PVS) and SecurityCenter (SC) dashboards to help its customers detect this flaw and start assessing risk.
Cris concludes, “We recommend you follow these steps immediately to secure your infrastructure; otherwise, this vulnerability could result in a remotely controlled exploit and serious consequences.”