Intel AMT Vulnerability’s Hijacking Horrors Revealed By Whitepaper
Intel last week finally got around to plugging a security hole that existed for decades affecting platforms with Active Management Technology (AMT), Intel Standard Manageability (ISM), and Small Business Technology (SBT). Consumer systems were untouched by this bug, but otherwise systems dating all the way back to Nehalem (2008) were potentially at risk. As it turns out, the flaw was more serious than initially thought.
First, the good news. Intel says it has implemented and validated a firmware update to address the problem and is collaborating with computer makers to roll it out quickly and smoothly. It is ultimately up to OEMs to provide the critical update to customers, and to that end Intel says it expects computer makers to make updates available beginning this week (and continuing thereafter).
Until those updates arrive, Intel recommends that IT admins and individuals download and run the company's discovery tool to determine if a system is potentially at risk. If it discovers a vulnerability or is unable to determine if one exists, Intel recommends the following:
Security outfit Embedi is the one that brought all of this to attention and it has now released a whitepaper outlining the technical details. One of the things the company notes is that the AMT vulnerability is the first of its kind and that it allows an attacker to gain full control over business PCs even if they are turned off (but still plugged into an outlet).
"By nature, the Intel AMT exploitation bypasses authentication. In other words, an attacker may now credentials and still be able to use the Intel AMT functionality. Access to ports 16992/16993 are the only requirement to perform a successful attack," Embedi states in its whitepaper.
Once a system is compromised, a remote attacker can take control of the keyboard, mouse, and monitor to perform physical actions that users would normally do when sitting in front of a system—load and execute programs, read and write files, and so forth. The attacker would also be able to remotely change the boot device (to a virtual image, for example), power on and off a system, access the BIOS, and more.
Security firm Tenable followed up on Embedi's disclosure with an investigation of its own to see how serious the vulnerability really is. using a specially crafted requests, Tenable was able to completely bypass the authentication scheme of an AMT-enabled system and gain access without providing a proper password.
Updated firmware can't come fast enough. To that end, Fujitsu, HP, and Lenovo have each promised updates in the near future.
First, the good news. Intel says it has implemented and validated a firmware update to address the problem and is collaborating with computer makers to roll it out quickly and smoothly. It is ultimately up to OEMs to provide the critical update to customers, and to that end Intel says it expects computer makers to make updates available beginning this week (and continuing thereafter).
Until those updates arrive, Intel recommends that IT admins and individuals download and run the company's discovery tool to determine if a system is potentially at risk. If it discovers a vulnerability or is unable to determine if one exists, Intel recommends the following:
Until firmware updates are available, systems administrators can take the mitigation steps detailed in the mitigation guide published under our security advisory. Please note that capabilities and features provided by AMT, ISM and SBT will be made unavailable by these mitigations.So there you go, Intel is on top of things. The bad news is that the threat is more serious than originally thought. The affected services are what IT admins use to configure systems remotely, even if there is not an operating system installed. That is part of what makes this exploit so scary, though it is not the only thing.
Consumers or others who need support securing vulnerable systems can contact Intel Customer Support. Online support is available at http://www.intel.com/supporttickets. To contact Intel Customer Support by phone in the U.S., Canada or Latin America, call (916) 377-7000. Europe, Middle East and Africa support phone numbers can be found on Intel’s support website. Asia Pacific support phone numbers can be found on Intel’s Asia support site.
Security outfit Embedi is the one that brought all of this to attention and it has now released a whitepaper outlining the technical details. One of the things the company notes is that the AMT vulnerability is the first of its kind and that it allows an attacker to gain full control over business PCs even if they are turned off (but still plugged into an outlet).
"By nature, the Intel AMT exploitation bypasses authentication. In other words, an attacker may now credentials and still be able to use the Intel AMT functionality. Access to ports 16992/16993 are the only requirement to perform a successful attack," Embedi states in its whitepaper.
Once a system is compromised, a remote attacker can take control of the keyboard, mouse, and monitor to perform physical actions that users would normally do when sitting in front of a system—load and execute programs, read and write files, and so forth. The attacker would also be able to remotely change the boot device (to a virtual image, for example), power on and off a system, access the BIOS, and more.
Security firm Tenable followed up on Embedi's disclosure with an investigation of its own to see how serious the vulnerability really is. using a specially crafted requests, Tenable was able to completely bypass the authentication scheme of an AMT-enabled system and gain access without providing a proper password.
Updated firmware can't come fast enough. To that end, Fujitsu, HP, and Lenovo have each promised updates in the near future.
