Attacks/Breaches

5/10/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Tail of the Intel AMT Flaw

Organizations impacted by easily exploitable privilege escalation vulnerability may need time to apply firmware patches, analysts say.

The recently disclosed critical privilege-escalation vulnerability in the Active Management Technology (AMT) firmware used in many Intel chips could leave some enterprise systems exposed to potentially devastating attacks for a relatively long time.

The flaw is present in Intel AMT firmware versions dating back to 2010. AMT is a remote management feature in Intel's vPro processors and workstations running specific versions of the company's Xeon processors. The technology is designed to give IT administrators and service providers the ability to remotely discover and manage enterprise systems even when the systems are powered down but still plugged in to a power source.

The vulnerability in the technology, first discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. Embedi has described the flaw as enabling attackers to do everything from remotely deleting or reinstalling the operating system on a vulnerable system to controlling its mouse and keyboard and loading and executing malicious code of choice.

Intel disclosed the AMT flaw May 1 and since then has implemented and validated an update to address the issue. The company is currently working with hardware OEMs that use its chips to integrate the updates into their products. In a statement last Friday, the chipmaker said that it expects hardware vendors to start making the firmware updates available to customers starting this week.

Major hardware vendors that Intel has identified as being impacted by the issue, including HP, Dell, Lenovo, and Fujitsu have already released or are expected to issue the updated firmware soon. But it could take several weeks for organizations to fully test and implement the patches on impacted systems.

In the meantime, vulnerable systems will become particularly easy targets for adversaries, says Mounir Hahad, senior director at Cyphort Labs. "To exploit this vulnerability, all an adversary needs is to install a local proxy that empties out the authentication challenge response of each HTTP transaction," he says,

Vulnerable PCs are usually enterprise-grade desktops or laptops, not consumer grade PCs, he says. The biggest risk that enterprise face is from adversaries who might have already breached an enterprise network and are looking to move laterally, he says. "The most dangerous exploit vector is an adversary who already has a foothold on the network through a previously compromised PC and is looking to move laterally towards more interesting targets."

One reason why internal users pose a bigger risk with this particular flaw is because AMT TCP/IP ports are rarely visible to the public Internet, says Tatu Ylonen, founder of SSH Communications Security.

Often the AMT port is accessible mainly on the internal network. "This basically gives every insider the ability to remotely mount and run code on any unpatched server that has AMT enabled," he says. "The code will run essentially at kernel privileges and is able to modify firmware, operating system, and any files."

According to Ylonen, building an exploit for the AMT flaw is trivially easy and takes little more than about five- to 10 lines of Python. "I expect I would be able to implement an exploit in 15 minutes," he says.

Intel has released a downloadable tool that organizations can use to determine if they have vulnerable systems on their network. The chipmaker has also provided instructions on using the tool for non-IT people. In addition, Intel has published a whitepaper providing detailed instructions for the actions organizations can take to mitigate their exposure to the threat while waiting for firmware updates to become available.

Cris Thomas, a strategist at Tenable - which discovered a way to find and exploit the AMT flaw even before Intel had disclosed full details - says any hardware that has Intel AMT installed and provisioned needs to be inspected. "If a user has have ever set a password on AMT, then it is vulnerable," he says.

Strictly speaking, the flaw is not really a remote-code-execution vulnerability. Rather it exists in the logical implementation of the AMT feature, Thomas says. "However, that implementation does allow an attacker to remotely execute commands on a target system."

The real danger for organizations from this vulnerability is that security teams may not even know they have AMT-capable systems on their network.

"This is why it's so important to be able to conduct an inventory in real-time across your entire network infrastructure," Thomas says. Security teams need to make it a priority to identify vulnerable systems and apply patches to the most critical systems as they become available.

He predicts that most of the big hardware vendors will push out patches for this vulnerability quickly, if they haven't done so already, already. "Security teams need to keep a close eye out for any 'white box' systems that they may have in their environments, because those systems may not have patches available or the patches may be delayed."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntoniaChristina
50%
50%
AntoniaChristina,
User Rank: Apprentice
5/10/2017 | 12:30:06 PM
Network Segmentation
I bet everyone is wishing for the old world network segmentation now, huh?
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.