Last week, news broke of a serious security flaw in Intel business chipsets dating back seven years and its description of the flaw is as follows:
“There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.”
Here’s why that’s such a problem. These services are collectively known as the Intel Management Engine and are used by IT administrators to load or configure remote systems, even if said computers don’t even have an operating system loaded. That’s part of why the vulnerability is so serious — a system that’s been compromised remotely can be accessed without the operating system ever being aware that any changes have occurred. Attackers could theoretically install new applications or change system configuration options. Neither the end-user or the IT administrator would know that any such operations had occurred. That alone made this threat a serious risk, even before additional information surfaced about how the attack is carried out.
Intel notes that there are two ways this vulnerability can be triggered. The first issue does not affect Intel Small Business Technology.
“An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H”
“An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).”
All of this was known last week, and it’s certainly bad enough. Experts have been somewhat divided over just how bad it is, but there’s no arguing that a remote attacker could use this exploit to load data directly on to systems that use these features or to copy information off such systems without anyone knowing it had happened.
Here’s how it’s worse
The initial problem was first discussed by Embedi, who noted its existence back on May 1 and offered a whitepaper on the topic late last week. Recent information provided by Tenable shed additional light on the problem, and how serious it actually is. It turns out that there’s a fundamental flaw in how AMT was implemented for the past seven years that allows an attacker to authenticate as an administrator without entering any password information whatsoever.
The traditional browser session one is supposed to use to access AMT sends a computed MD5 hash to the remote system, which then checks that hash against the expected value. If you try testing AMT from a traditional browser window, it will appear to function normally. What the research teams discovered is that it’s possible to use a proxy or manually generated request to order the AMT to compare the first zero characters of the MD5 hash when checking it for accuracy. As you might imagine, telling as password authentication system to allow end-user access if the first zero characters of an MD5 hash are identical is equivalent to having no security system at all.
Tenable also investigated this problem and found similar results. They were able to access systems with AMT enabled without providing any password whatsoever. As of this writing, at least 8,500 business systems are vulnerable to this attack, and tens of thousands more may be vulnerable but sitting on corporate networks where tools like Shodan can’t detect them.
Here’s where things get really fun. While Intel is working on a patch, said to be released this week, it’s going to require a firmware update to solve the problem. Until those updates are applied, any business system with these services is vulnerable, to one degree or another, and IT administrators will have no way of determining which systems may have been accessed by black hats.
Nearly a year ago, we reported on rumors that the IME could be fundamentally compromised. At the time, there was no evidence that the engine was flawed in such a fashion, which made it extremely difficult to determine whether such fears were grounded in reality. It’s now clear that they were. We still hold to what we said back in 2016 — prominent security flaws in GnuTLS, Heartbleed, Shellshock, and Stagefright are all proof that simply being open source does not magically insulate code from containing huge security vulnerabilities — but Intel clearly wasn’t auditing its own code, either. It is extremely unlikely that every system that uses the Intel Management Engine can be found and patched, which means this is one critical vulnerability that will persist for years to come.