A critical remote code execution (RCE) vulnerability has been discovered in the remote management features on computers shipped with Intel processors for nearly a decade, which could allow attackers to take control of the computers remotely.
The RCE flaw (CVE-2017-5689) resides in the Intel’s Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.
These features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise.
Since these functions are present only in enterprise solutions, and mostly in server chipsets, the vulnerability doesn’t affect chips running on Intel-based consumer PCs.
According to the Intel advisory, this critical security vulnerability was discovered and reported in March by security researcher Maksim Malyutin of Embedi, and could be exploited in two ways:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.
How Bad is this Vulnerability
In short, a potential attacker can log into a vulnerable machine’s hardware and silently perform malicious activities, like tampering with the machine, installing virtually undetectable malware, using AMT’s features.
The PC’s operating system never knows what’s going around because AMT has direct access to the computer’s network hardware. When AMT is enabled, any packet sent to the PC’s wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.
These insecure management features have been made available in various, but not all, Intel chipsets for nearly a decade, starting from Nehalem Core i7 in 2008 to this year’s Kaby Lake Core, with a higher degree of a flaw for users on Intel vPro systems.
Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.
Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.
Affected Firmware Versions & How to Patch
The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.
Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.
The chipmaker is recommending vulnerable customers install a firmware patch as soon as possible.
“Fixing this requires a system firmware update in order to provide new ME [management engine] firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix,” CoreOS security engineer Matthew Garrett explained in a blog post. “Anyone who ever enables AMT on one of these devices will be vulnerable.”
“That’s ignoring the fact that firmware updates are rarely flagged as security critical (they don’t generally come via Windows Update), so even when updates are made available, users probably won’t know about them or install them.”
You can head on to Intel advisory for further details.