Attacks/Breaches

5/10/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Long Tail of the Intel AMT Flaw

Organizations impacted by easily exploitable privilege escalation vulnerability may need time to apply firmware patches, analysts say.

The recently disclosed critical privilege-escalation vulnerability in the Active Management Technology (AMT) firmware used in many Intel chips could leave some enterprise systems exposed to potentially devastating attacks for a relatively long time.

The flaw is present in Intel AMT firmware versions dating back to 2010. AMT is a remote management feature in Intel's vPro processors and workstations running specific versions of the company's Xeon processors. The technology is designed to give IT administrators and service providers the ability to remotely discover and manage enterprise systems even when the systems are powered down but still plugged in to a power source.

The vulnerability in the technology, first discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. Embedi has described the flaw as enabling attackers to do everything from remotely deleting or reinstalling the operating system on a vulnerable system to controlling its mouse and keyboard and loading and executing malicious code of choice.

Intel disclosed the AMT flaw May 1 and since then has implemented and validated an update to address the issue. The company is currently working with hardware OEMs that use its chips to integrate the updates into their products. In a statement last Friday, the chipmaker said that it expects hardware vendors to start making the firmware updates available to customers starting this week.

Major hardware vendors that Intel has identified as being impacted by the issue, including HP, Dell, Lenovo, and Fujitsu have already released or are expected to issue the updated firmware soon. But it could take several weeks for organizations to fully test and implement the patches on impacted systems.

In the meantime, vulnerable systems will become particularly easy targets for adversaries, says Mounir Hahad, senior director at Cyphort Labs. "To exploit this vulnerability, all an adversary needs is to install a local proxy that empties out the authentication challenge response of each HTTP transaction," he says,

Vulnerable PCs are usually enterprise-grade desktops or laptops, not consumer grade PCs, he says. The biggest risk that enterprise face is from adversaries who might have already breached an enterprise network and are looking to move laterally, he says. "The most dangerous exploit vector is an adversary who already has a foothold on the network through a previously compromised PC and is looking to move laterally towards more interesting targets."

One reason why internal users pose a bigger risk with this particular flaw is because AMT TCP/IP ports are rarely visible to the public Internet, says Tatu Ylonen, founder of SSH Communications Security.

Often the AMT port is accessible mainly on the internal network. "This basically gives every insider the ability to remotely mount and run code on any unpatched server that has AMT enabled," he says. "The code will run essentially at kernel privileges and is able to modify firmware, operating system, and any files."

According to Ylonen, building an exploit for the AMT flaw is trivially easy and takes little more than about five- to 10 lines of Python. "I expect I would be able to implement an exploit in 15 minutes," he says.

Intel has released a downloadable tool that organizations can use to determine if they have vulnerable systems on their network. The chipmaker has also provided instructions on using the tool for non-IT people. In addition, Intel has published a whitepaper providing detailed instructions for the actions organizations can take to mitigate their exposure to the threat while waiting for firmware updates to become available.

Cris Thomas, a strategist at Tenable - which discovered a way to find and exploit the AMT flaw even before Intel had disclosed full details - says any hardware that has Intel AMT installed and provisioned needs to be inspected. "If a user has have ever set a password on AMT, then it is vulnerable," he says.

Strictly speaking, the flaw is not really a remote-code-execution vulnerability. Rather it exists in the logical implementation of the AMT feature, Thomas says. "However, that implementation does allow an attacker to remotely execute commands on a target system."

The real danger for organizations from this vulnerability is that security teams may not even know they have AMT-capable systems on their network.

"This is why it's so important to be able to conduct an inventory in real-time across your entire network infrastructure," Thomas says. Security teams need to make it a priority to identify vulnerable systems and apply patches to the most critical systems as they become available.

He predicts that most of the big hardware vendors will push out patches for this vulnerability quickly, if they haven't done so already, already. "Security teams need to keep a close eye out for any 'white box' systems that they may have in their environments, because those systems may not have patches available or the patches may be delayed."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AntoniaChristina
50%
50%
AntoniaChristina,
User Rank: Apprentice
5/10/2017 | 12:30:06 PM
Network Segmentation
I bet everyone is wishing for the old world network segmentation now, huh?
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.