Governance & Risk Management , Next-Generation Technologies & Secure Development
Intel Alert: Critical Security Flaw Affects Many CPUsDecade-Old Remote-Management Flaw Affects vPro and Xeon Processors
Chipmaker Intel has issued a security alert for a flaw that has existed in many of its non-consumer CPUs for a decade. The flaw could be exploited by attackers, using Intel's own remote-management tools, to install malware on devices and breach enterprise networks.
"There is an escalation of privilege vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology versions ... that can allow an unprivileged attacker to gain control of the manageability features provided by these products," Intel says in a May 1 security alert.
Intel says firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 are affected, but that chips running firmware versions prior to 6 and after 11.6 do not have the vulnerability. It also notes that "this vulnerability does not exist on Intel-based consumer PCs."
Intel has rated the flaw - designated CVE-2017-5689 - as "critical" and recommends all business customers immediately assess whether they have devices with the vulnerable vPro processors and if so, patch them immediately.
Some security experts recommend immediately decommissioning any vulnerable devices for which an OEM patch is not yet available. "If your system is 10 years old or newer it is likely exploitable, check for patches daily and install all patches immediately," security researcher Charlie Demerjian, says in a blog post. "If there is no patch, back up data and replace."
Intel has issued related fixes, but in many cases it will now be up to OEMs to incorporate those patches into firmware and get it into customers' hands.
"Intel released an update on April 25, and advises that the system or system board manufacturers should be releasing their firmware versions to affected customers," security experts Richard Porter and Rob VandenBrink say in a SANS Internet Storm Center alert. "That is, if your vendor releases a patch for your system - there are a lot of older computers out there - and newer ones too - that will likely never see this update!"
Intel said the flaw was discovered and reported to it privately in March by security researcher Maksim Malyutin at Embedi. Intel said the researcher helped it via a coordinated disclosure campaign, which refers to a researcher not releasing details of their discovery publicly until related patches begin to get issued.
The flaw now joins the likes of Bash, Heartbleed, Logjam, Poodle and Shellshock, in that it's persisted for years before coming to light, at least publicly. Of course, the flaw still could have already been discovered and quietly exploited by someone else, such as an intelligence service (see Zero-Day Facts of Life Revealed in RAND Study).
Remotely Exploitable Flaw
The flaw exists in AMT, which is an Intel-built tool designed to help enterprise IT shops remotely manage PCs, including installing client builds on bare-metal systems. The functionality is present in Intel vPro and Xeon processors.
"Intel AMT uses integrated platform capabilities and popular third-party management and security applications, to allow IT or managed service providers to better discover, repair, and protect their networked computing assets," according to Intel's documentation. "Intel AMT also saves time with remote maintenance and wireless manageability for your mobile workforce, and secure drive wiping to simply PC lifecycle transitions."
Remote attackers can target the flaw in Active Management Technology and Standard Manageability to gain systems-level access privileges without having to authenticate to the system. Local attackers, meanwhile, could exploit the flaw in either of those technologies, or in the Small Business Technology product, to access systems without having to authenticate them.
"When AMT is enabled, any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the [management engine] and passed on to AMT - the OS never sees these packets," Matthew Garrett, a security developer at Google, says in a blog post. "AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even - if the OS is configured appropriately - get a remote console. Access to AMT requires a password - the implication of this vulnerability is that that password can be bypassed."
What's the Risk?
Security researchers have been working to identify exactly what threat the flaw poses and when it can be exploited.
"The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) - not CPU firmware," says Demerjian, who's a consultant at Minneapolis-based firm Stone Arch Networking Services.
"If this isn't scary enough news, even if your machine doesn't have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network - for the moment," Demerjian says.
But security researcher Igor Skochinsky says that the flaw can be exploited only when enterprises have enabled and provisioned AMT.
Intel Details Mitigation Steps
Regardless, security researchers are urging all organizations to immediately identify and update all affected devices. Unfortunately, that's not a straightforward proposition, Google's Garrett says, noting that running AMT requires four things: a supported CPU, chipset and network hardware, as well as for the AMT firmware to be part of the management engine firmware.
To help identify vulnerable devices, Intel recommends all organizations follow these four steps:
- Determine risk: Intel has detailed four methods organizations can use to determine if they have any Intel AMT, Intel SBA or Intel ISM systems. The can be as simple as finding an Intel vPro badge on the device - though white-label goods won't have one - and then reviewing each of these systems for designated firmware and software, to see if it's potentially vulnerable. Alternately, any enterprise that uses Microsoft, LANDesk or Symantec endpoint management suites can direct the management agent software to create an inventory of all PCs that have Intel vPro technology.
- Reference detection guide: Intel has released a detection guide, which contains instructions for using the Intel SCS System Discovery Utility to catalog deployed CPUs inside an enterprise, including device firmware version and Intel SKU, to help determine which are vulnerable to the privilege escalation problem.
- Look for updated firmware: "Intel highly recommends checking with your system OEM for updated firmware." It says patched firmware will always have a four-digit build number that starts with a "3" in the following format: (X.X.XX.3XXX), such as 18.104.22.16808.
- Employ mitigations: If updated firmware is not available, then reference this mitigation guide, which contains instructions that can be used as the basis for scripts or tasks within management consoles, allowing fixes to be deployed at scale.
Patch or Perish
Given the glacial pace with which widespread flaws diminish, however, Porter and VandenBrink at the SANS Internet Storm Center predict that "this bug is something that's going to stick with us for a [good, long] time."
The researchers note that the flaw is a timely reminder to ensure that your organization has critical information security controls in place that can help it to more quickly react to problems of this nature. In particular, "get a good, complete hardware inventory together, and get a good software inventory - know what's in your organization and on your network, and know what's running on that gear," Porter and VandenBrink recommend.
"This includes elevator controls, industrial presses, MRI machines, point-of-sale stuff, TVs, DVRs and photocopiers - all of it," they add. "Without knowing what's on your network, the best you'll do is to get a reasonable percentage of affected systems - you'll never patch the machines you don't know about."