Intel Patches Nine-Year-Old Critical CPU Vulnerability

Intel warns business PC customers of a critical vulnerability found in its Active Management Technology that allows for escalation of privilege attacks.

Intel patched a critical vulnerability that dates back nine years and impacts business desktop PCs that utilize the company’s Active Management Technology. According to an Intel security bulletin, the flaw could allow an adversary to elevate privileges on a vulnerable system.

Intel said there are two attack vectors that could be exploited. One allows a network attacker to gain system privileges to provision Intel systems running effected versions of Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). Second, a local attacker could provision manageability features and gain unprivileged network or local system privileges on affected systems running versions of AMT, ISM and Intel Small Business Technology (SBT).

Intel said a researcher disclosed the vulnerability last month, warning of critical firmware flaws in business PCs and devices that utilize AMT, ISM and SBT.

“We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible,” said William Moss, a spokesperson for Intel told Threatpost.

Moss said no consumer PCs are impacted and that Intel is unaware of any exploitation of this vulnerability in the wild.

Mitigation of the vulnerability include a firmware update for some models or alternatively removing or disabling Local Manageability Services (LMS) from impacted systems, according to the Intel security advisory.

Intel credited researcher Maksim Malyutin from Embedi for discovering the vulnerability and disclosing it to Intel.

“We have been warning Intel about the vulnerability tied to Active Management Technology for years. Now, finally it’s realized there is a vulnerability here that needs to be patched,” said Charlie Demerjian, founder of Stone Arch Networking Services in an interview with Threatpost. He maintains that every Intel platform, from Nehalem in 2008 to Kaby Lake in 2017, has a remotely exploitable security hole in the chipset’s Management Engine (ME).

In an article posted to the website SemiAccurate.com Monday–before Intel issued its advisory–Demerjian asserted Intel would patch a flaw first identified in June 2016 by researcher Damien Zammit. In an expose of Intel’s Management Engine, Zammit claimed last year that there was a vulnerability in Intel x86s chips that created a secret backdoor allowing a third-party to use undetectable rootkits against Intel PCs.

In a statement in response to Zammit’s allegation, Steve Grobman, chief technology officer for Intel Security, refuted the claim calling the feature a boon to admins who managed large installs of remote PCs.

When Threatpost asked Intel if the vulnerability that it warned of on Monday was tied to the same security issues discussed in June 2015, Moss said he was looking into it.

“I don’t know if there is any relationship to prior allegations. This current update is based on a report that we received in March from a security researcher. And to my knowledge it doesn’t have anything to do with anything before that,” Moss told Threatpost.

The vulnerability patched by Intel on Monday is a flaw found in an aspect of the Active Management Technology system called Intel Management Engine. This component runs on an ARC microprocessor that’s physically located inside the Intel chipset.

“The ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system,” according to Zammit.

“The problem is quite simple, the ME controls the network ports and has DMA (direct memory access) access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100 percent verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not,” Demerjian wrote in his post.

Matthew Garrett, a developer at Red Hat, wrote on his blog Monday that the flaw will only impact those that have explicitly enabled Active Management Technology at some point. “Most Intel systems don’t ship with AMT. Most Intel systems with AMT don’t have it turned on,” he said.

Garrett added, fixing the problem won’t be easy for Intel or admins. “Fixing this requires a system firmware update in order to provide new ME firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix. Anyone who ever enables AMT on one of these devices will be vulnerable,” he said.

Suggested articles