Intel is expected to soon issue patches that purport to fix an escalation of privilege vulnerability in the Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), as well as the Intel Small Business Technology firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow a remote attacker to gain control of the admin manageability features in these chips.
For those not familiar, what AMT does is enable the remote management at the hardware layer, and things such as changing boot code, and the loading of applications — just as if you are sitting at the console.
According to Intel, there are two ways this vulnerability may be accessed. According to Intel, Intel Small Business Technology is not vulnerable to the first issue.
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel Standard Manageability (ISM).
- CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
- CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Intel says that this vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel Server Platform Services (Intel SPS), or Intel Xeon Processor E3 and Intel Xeon Processor E5 workstations utilizing Intel SPS firmware.
Hardware flaws are unfortunately persistent and more difficult to patch. In 2014 a design flaw in Intel processors opened the door to rootkits, researcher said. According to Lucian Constantin’s story, a design flaw in the x86 processor architecture dated back to 1997 and permitted attackers to install a rootkit in the low-level firmware. The malware at the time would be undetectable.
Here is a description of that vulnerability from Constantin’s story:
The vulnerability stems from a feature first added to the x86 architecture in 1997. It was disclosed Thursday at the Black Hat security conference by Christopher Domas, a security researcher with the Battelle Memorial Institute.
By leveraging the flaw, attackers could install a rootkit in the processor's System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers.
Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldn't help, because they, too rely on the SMM to be secure.
Here is a story from earlier this year about a hardware flaw that mitigated the hardware-level defense address space layout randomization, A Chip Flaw Strips Away Hacking Protections for Millions of Devices.
For this current flaw, Intel has released a downloadable discovery tool located at downloadcenter.intel.com, which will analyze your system for the vulnerability. IT professionals who are familiar with the configuration of their systems and networks can use this tool or can find more details below.
As Intel becomes aware of computer maker schedules for updated firmware this list will be updated:
- HP - http://www8.hp.com/us/en/intelmanageabilityissue.html
- Lenovo - https://support.lenovo.com/us/en/product_security/LEN-14963
- Fujitsu - http://support.ts.fujitsu.com/content/Intel_Firmware.asp
- Dell - http://en.community.dell.com/techcenter/extras/m/white_papers/20443914
If enterprise admins and security teams are not sure, they should use the Intel discovery tool to test their systems and remediate as fast as possible.