Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/10/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Tail of the Intel AMT Flaw

Organizations impacted by easily exploitable privilege escalation vulnerability may need time to apply firmware patches, analysts say.

The recently disclosed critical privilege-escalation vulnerability in the Active Management Technology (AMT) firmware used in many Intel chips could leave some enterprise systems exposed to potentially devastating attacks for a relatively long time.

The flaw is present in Intel AMT firmware versions dating back to 2010. AMT is a remote management feature in Intel's vPro processors and workstations running specific versions of the company's Xeon processors. The technology is designed to give IT administrators and service providers the ability to remotely discover and manage enterprise systems even when the systems are powered down but still plugged in to a power source.

The vulnerability in the technology, first discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. Embedi has described the flaw as enabling attackers to do everything from remotely deleting or reinstalling the operating system on a vulnerable system to controlling its mouse and keyboard and loading and executing malicious code of choice.

Intel disclosed the AMT flaw May 1 and since then has implemented and validated an update to address the issue. The company is currently working with hardware OEMs that use its chips to integrate the updates into their products. In a statement last Friday, the chipmaker said that it expects hardware vendors to start making the firmware updates available to customers starting this week.

Major hardware vendors that Intel has identified as being impacted by the issue, including HP, Dell, Lenovo, and Fujitsu have already released or are expected to issue the updated firmware soon. But it could take several weeks for organizations to fully test and implement the patches on impacted systems.

In the meantime, vulnerable systems will become particularly easy targets for adversaries, says Mounir Hahad, senior director at Cyphort Labs. "To exploit this vulnerability, all an adversary needs is to install a local proxy that empties out the authentication challenge response of each HTTP transaction," he says,

Vulnerable PCs are usually enterprise-grade desktops or laptops, not consumer grade PCs, he says. The biggest risk that enterprise face is from adversaries who might have already breached an enterprise network and are looking to move laterally, he says. "The most dangerous exploit vector is an adversary who already has a foothold on the network through a previously compromised PC and is looking to move laterally towards more interesting targets."

One reason why internal users pose a bigger risk with this particular flaw is because AMT TCP/IP ports are rarely visible to the public Internet, says Tatu Ylonen, founder of SSH Communications Security.

Often the AMT port is accessible mainly on the internal network. "This basically gives every insider the ability to remotely mount and run code on any unpatched server that has AMT enabled," he says. "The code will run essentially at kernel privileges and is able to modify firmware, operating system, and any files."

According to Ylonen, building an exploit for the AMT flaw is trivially easy and takes little more than about five- to 10 lines of Python. "I expect I would be able to implement an exploit in 15 minutes," he says.

Intel has released a downloadable tool that organizations can use to determine if they have vulnerable systems on their network. The chipmaker has also provided instructions on using the tool for non-IT people. In addition, Intel has published a whitepaper providing detailed instructions for the actions organizations can take to mitigate their exposure to the threat while waiting for firmware updates to become available.

Cris Thomas, a strategist at Tenable - which discovered a way to find and exploit the AMT flaw even before Intel had disclosed full details - says any hardware that has Intel AMT installed and provisioned needs to be inspected. "If a user has have ever set a password on AMT, then it is vulnerable," he says.

Strictly speaking, the flaw is not really a remote-code-execution vulnerability. Rather it exists in the logical implementation of the AMT feature, Thomas says. "However, that implementation does allow an attacker to remotely execute commands on a target system."

The real danger for organizations from this vulnerability is that security teams may not even know they have AMT-capable systems on their network.

"This is why it's so important to be able to conduct an inventory in real-time across your entire network infrastructure," Thomas says. Security teams need to make it a priority to identify vulnerable systems and apply patches to the most critical systems as they become available.

He predicts that most of the big hardware vendors will push out patches for this vulnerability quickly, if they haven't done so already, already. "Security teams need to keep a close eye out for any 'white box' systems that they may have in their environments, because those systems may not have patches available or the patches may be delayed."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntoniaChristina
50%
50%
AntoniaChristina,
User Rank: Apprentice
5/10/2017 | 12:30:06 PM
Network Segmentation
I bet everyone is wishing for the old world network segmentation now, huh?
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.