Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/10/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Tail of the Intel AMT Flaw

Organizations impacted by easily exploitable privilege escalation vulnerability may need time to apply firmware patches, analysts say.

The recently disclosed critical privilege-escalation vulnerability in the Active Management Technology (AMT) firmware used in many Intel chips could leave some enterprise systems exposed to potentially devastating attacks for a relatively long time.

The flaw is present in Intel AMT firmware versions dating back to 2010. AMT is a remote management feature in Intel's vPro processors and workstations running specific versions of the company's Xeon processors. The technology is designed to give IT administrators and service providers the ability to remotely discover and manage enterprise systems even when the systems are powered down but still plugged in to a power source.

The vulnerability in the technology, first discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. Embedi has described the flaw as enabling attackers to do everything from remotely deleting or reinstalling the operating system on a vulnerable system to controlling its mouse and keyboard and loading and executing malicious code of choice.

Intel disclosed the AMT flaw May 1 and since then has implemented and validated an update to address the issue. The company is currently working with hardware OEMs that use its chips to integrate the updates into their products. In a statement last Friday, the chipmaker said that it expects hardware vendors to start making the firmware updates available to customers starting this week.

Major hardware vendors that Intel has identified as being impacted by the issue, including HP, Dell, Lenovo, and Fujitsu have already released or are expected to issue the updated firmware soon. But it could take several weeks for organizations to fully test and implement the patches on impacted systems.

In the meantime, vulnerable systems will become particularly easy targets for adversaries, says Mounir Hahad, senior director at Cyphort Labs. "To exploit this vulnerability, all an adversary needs is to install a local proxy that empties out the authentication challenge response of each HTTP transaction," he says,

Vulnerable PCs are usually enterprise-grade desktops or laptops, not consumer grade PCs, he says. The biggest risk that enterprise face is from adversaries who might have already breached an enterprise network and are looking to move laterally, he says. "The most dangerous exploit vector is an adversary who already has a foothold on the network through a previously compromised PC and is looking to move laterally towards more interesting targets."

One reason why internal users pose a bigger risk with this particular flaw is because AMT TCP/IP ports are rarely visible to the public Internet, says Tatu Ylonen, founder of SSH Communications Security.

Often the AMT port is accessible mainly on the internal network. "This basically gives every insider the ability to remotely mount and run code on any unpatched server that has AMT enabled," he says. "The code will run essentially at kernel privileges and is able to modify firmware, operating system, and any files."

According to Ylonen, building an exploit for the AMT flaw is trivially easy and takes little more than about five- to 10 lines of Python. "I expect I would be able to implement an exploit in 15 minutes," he says.

Intel has released a downloadable tool that organizations can use to determine if they have vulnerable systems on their network. The chipmaker has also provided instructions on using the tool for non-IT people. In addition, Intel has published a whitepaper providing detailed instructions for the actions organizations can take to mitigate their exposure to the threat while waiting for firmware updates to become available.

Cris Thomas, a strategist at Tenable - which discovered a way to find and exploit the AMT flaw even before Intel had disclosed full details - says any hardware that has Intel AMT installed and provisioned needs to be inspected. "If a user has have ever set a password on AMT, then it is vulnerable," he says.

Strictly speaking, the flaw is not really a remote-code-execution vulnerability. Rather it exists in the logical implementation of the AMT feature, Thomas says. "However, that implementation does allow an attacker to remotely execute commands on a target system."

The real danger for organizations from this vulnerability is that security teams may not even know they have AMT-capable systems on their network.

"This is why it's so important to be able to conduct an inventory in real-time across your entire network infrastructure," Thomas says. Security teams need to make it a priority to identify vulnerable systems and apply patches to the most critical systems as they become available.

He predicts that most of the big hardware vendors will push out patches for this vulnerability quickly, if they haven't done so already, already. "Security teams need to keep a close eye out for any 'white box' systems that they may have in their environments, because those systems may not have patches available or the patches may be delayed."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntoniaChristina
50%
50%
AntoniaChristina,
User Rank: Apprentice
5/10/2017 | 12:30:06 PM
Network Segmentation
I bet everyone is wishing for the old world network segmentation now, huh?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...
CVE-2020-11441
PUBLISHED: 2020-03-31
phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.
CVE-2020-1712
PUBLISHED: 2020-03-31
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sen...
CVE-2019-10180
PUBLISHED: 2020-03-31
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could...
CVE-2019-14880
PUBLISHED: 2020-03-31
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.