Intel patches remote hijack bug that hid in chips for seven years

But that doesn’t mean a fix for affected devices will come soon…

David bisson
David Bisson
@
@DMBisson

Intel patches remote hijack bug that hid in chips for seven years

Intel has patched a privileged escalation bug in its chips’ remote management feature that could be exploited by an attacker to breach networks.

On 1 May, Intel’s security center confirmed that the “critical” escalation of privilege vulnerability affects its Intel Standard Manageability (ISM), Intel Small Business Technology, and Active Management Technology (AMT) firmware. The flaw resides in those products’ firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. It does not exist on consumer-based PCs.

Just as a little perspective, AMT is a type of technology that allows IT departments to manage client systems. It works by redirecting all packets sent to the machine’s wired network port on port 16992 or 16993 to the ME and then the AMT. This tech, in turn provides a web UI for rebooting the machine and carrying out other remote functions.

Sign up to our free newsletter.
Security news, advice, and tips.

AMT requires a password. But by exploiting this vulnerability, an unauthenticated network attacker could gain system privileges to the AMT or ISM technology. From there, they could abuse their privileges to reboot the system and examine drive contents.

That’s not even the worst part. Linux kernel expert Matthew Garrett elaborates:

“AMT supports providing an ISO remotely. In older versions of AMT (before 11.0) this was in the form of an emulated IDE controller. In 11.0 and later, this takes the form of an emulated USB device. The nice thing about the latter is that any image provided that way will probably be automounted if there’s a logged in user, which probably means it’s possible to use a malformed filesystem to get arbitrary code execution in the kernel. Fun!”

Concurrently, an unauthenticated local attacker could provision manageability features and gain network or local system privileges to AMT, ISM, and SBT.

The remote management features that contain the critical flaw have shipped with Intel processors since 2010.

As The Register points out, as the vulnerability lies in a devices’ chips, it lurks out of sight of the operating system and is invisible to anti-virus products.

Intel advisory

To help protect its customers, Intel recommends that sysadmins first determine whether they’re running AMT, ISM, and SBT on their machines. If they aren’t, they don’t need to do anything else. They’re safe. If they are potentially at risk, however, they should utilize this Detection Guide to determine if they’re affected by the vulnerability.

Assuming a machine is vulnerable, sysadmins should look out for the following firmware versions that plug the hole:

  • First-gen Core family: 6.2.61.3535
  • Second-gen Core family: 7.1.91.3272
  • Third-gen Core family: 8.1.71.3608
  • Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
  • Fifth-gen Core family: 10.0.55.3000
  • Sixth-gen Core family: 11.0.25.3001
  • Seventh-gen Core family: 11.6.27.3264

The availability of those updates, however, has everything to do with when a machine’s manufacturer releases the firmware versions. Sysadmins without access to those fixes should go and bug their manufacturers for an estimate of release. In the meantime, they can implement these mitigations.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.