Attacks/Breaches
5/10/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Tail of the Intel AMT Flaw

Organizations impacted by easily exploitable privilege escalation vulnerability may need time to apply firmware patches, analysts say.

The recently disclosed critical privilege-escalation vulnerability in the Active Management Technology (AMT) firmware used in many Intel chips could leave some enterprise systems exposed to potentially devastating attacks for a relatively long time.

The flaw is present in Intel AMT firmware versions dating back to 2010. AMT is a remote management feature in Intel's vPro processors and workstations running specific versions of the company's Xeon processors. The technology is designed to give IT administrators and service providers the ability to remotely discover and manage enterprise systems even when the systems are powered down but still plugged in to a power source.

The vulnerability in the technology, first discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. Embedi has described the flaw as enabling attackers to do everything from remotely deleting or reinstalling the operating system on a vulnerable system to controlling its mouse and keyboard and loading and executing malicious code of choice.

Intel disclosed the AMT flaw May 1 and since then has implemented and validated an update to address the issue. The company is currently working with hardware OEMs that use its chips to integrate the updates into their products. In a statement last Friday, the chipmaker said that it expects hardware vendors to start making the firmware updates available to customers starting this week.

Major hardware vendors that Intel has identified as being impacted by the issue, including HP, Dell, Lenovo, and Fujitsu have already released or are expected to issue the updated firmware soon. But it could take several weeks for organizations to fully test and implement the patches on impacted systems.

In the meantime, vulnerable systems will become particularly easy targets for adversaries, says Mounir Hahad, senior director at Cyphort Labs. "To exploit this vulnerability, all an adversary needs is to install a local proxy that empties out the authentication challenge response of each HTTP transaction," he says,

Vulnerable PCs are usually enterprise-grade desktops or laptops, not consumer grade PCs, he says. The biggest risk that enterprise face is from adversaries who might have already breached an enterprise network and are looking to move laterally, he says. "The most dangerous exploit vector is an adversary who already has a foothold on the network through a previously compromised PC and is looking to move laterally towards more interesting targets."

One reason why internal users pose a bigger risk with this particular flaw is because AMT TCP/IP ports are rarely visible to the public Internet, says Tatu Ylonen, founder of SSH Communications Security.

Often the AMT port is accessible mainly on the internal network. "This basically gives every insider the ability to remotely mount and run code on any unpatched server that has AMT enabled," he says. "The code will run essentially at kernel privileges and is able to modify firmware, operating system, and any files."

According to Ylonen, building an exploit for the AMT flaw is trivially easy and takes little more than about five- to 10 lines of Python. "I expect I would be able to implement an exploit in 15 minutes," he says.

Intel has released a downloadable tool that organizations can use to determine if they have vulnerable systems on their network. The chipmaker has also provided instructions on using the tool for non-IT people. In addition, Intel has published a whitepaper providing detailed instructions for the actions organizations can take to mitigate their exposure to the threat while waiting for firmware updates to become available.

Cris Thomas, a strategist at Tenable - which discovered a way to find and exploit the AMT flaw even before Intel had disclosed full details - says any hardware that has Intel AMT installed and provisioned needs to be inspected. "If a user has have ever set a password on AMT, then it is vulnerable," he says.

Strictly speaking, the flaw is not really a remote-code-execution vulnerability. Rather it exists in the logical implementation of the AMT feature, Thomas says. "However, that implementation does allow an attacker to remotely execute commands on a target system."

The real danger for organizations from this vulnerability is that security teams may not even know they have AMT-capable systems on their network.

"This is why it's so important to be able to conduct an inventory in real-time across your entire network infrastructure," Thomas says. Security teams need to make it a priority to identify vulnerable systems and apply patches to the most critical systems as they become available.

He predicts that most of the big hardware vendors will push out patches for this vulnerability quickly, if they haven't done so already, already. "Security teams need to keep a close eye out for any 'white box' systems that they may have in their environments, because those systems may not have patches available or the patches may be delayed."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntoniaChristina
50%
50%
AntoniaChristina,
User Rank: Apprentice
5/10/2017 | 12:30:06 PM
Network Segmentation
I bet everyone is wishing for the old world network segmentation now, huh?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.