Remote access bug in Intel AMT worse than we thought, says researcher

News by Bradley Barth

A long-standing flaw in Intel's manageability firmware may date back 10 years and is trivial to exploit, so patch your devices now, says security researcher.

Intel is warning users of its chips that an attacker could gain remote access to PCs or devices that have its manageability firmware.

Intel described it as a critical escalation of privilege vulnerability while other commentators said the simplicity and severity put it more in the category of a backdoor.

According to an Intel Vulnerability Tracking Page set up by SSH Communications Security, Intel has provided OEM partners with a fix, though none of the OEMs has yet released updated firmware.

Specifically, the flaw was found in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology, firmware versions 6 through 11.6. Various reports state that the bug dates back to approximately 10 years ago.

According to Intel, there are two ways an attack can potentially access the vulnerability: "an unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs" or "an unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs." The first method does not apply to Intel Small Business Technology.

“It is stunning that a vulnerability this severe can exist in practically every Intel server. If, as some sources now say, Intel has known of this vulnerability for years, it can only be an intentional backdoor," Tatu Ylonen, founder and SSH fellow, SSH Communications Security, said in comments sent to SC Media.

"It undermines the very fabric of information society. This vulnerability could cause many billions of dollars of damage to enterprises if weaponized against their servers and data. The impact can also be particularly long-term if their internal cybersecurity systems are compromised as a result of this vulnerability.”

Ylonen said the vulnerability could be exploited with just five lines of Python code in a one-line shell command.

In his blog, he wrote: “If your Active Directory server's AMT port can be accessed, this is like giving every internal user Domain Administrator rights to your domains.”

Intel advises that affected customers check with their system OEM for updated firmware. For those who cannot yet update their firmware, the company has published a document that details steps for mitigation.

Ylonen's advice is to disable AMT immediately, beginning with the most critical servers in your organisation. He also advises data centres block ports 16992, 16993, 16994, 16995, 623 and 664 in internal firewalls now if they can.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews