Researcher: ‘Baseless Assumptions’ Exist About Intel AMT Vulnerability

Embedi, which is behind the Intel AMT vulnerability revealed Monday, seeks to clarify “baseless assumptions” being made about the flaw.

Researchers at Embedi who found the critical Active Management Technology (AMT) flaw in Intel chips said in a blog published today there were “a tremendous amount of baseless assumptions” being made about the vulnerability.

According Embedi CTO Dmitry Evdokimov, an information vacuum has predictably sparked false assumptions about the vulnerability, otherwise known as Intel Standard Manageability Escalation of Privilege – INTEL-SA-00075 (CVE-2017-5689).

For starters, the date range of Intel systems affected by this vulnerability (version 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6) goes from 2010 to 2011; no Intel firmware related to this vulnerability was in use before 2010, Embedi said. Evdokimov refuted reports that the AMT vulnerability dates back as many as nine years to when the AMT feature was first introduced.

Embedi said its hands are tied and it can’t release granular details on the AMT flaw, but promised a fuller account once Intel and other stakeholders have a chance to patch systems. “Intel representatives have asked Embedi to hold off on disclosing any technical details regarding this issue until further notice,” according to a blog post by Embedi titled MythBusters.

Evdokimov emphasizes the vulnerability is not associated with a remote code execution (RCE) bug as others had assumed in reports following Intel’s security bulletin. Rather, Evdokimov emphasized the flaw Embedi researchers found was a logical vulnerability, details of which he also could not disclose.

“RCE is a technical vulnerability like a coding mistake. A logical vulnerability finds flaws in the way the application makes decisions,” explained Evdokimov in an interview with Threatpost.

He also said the vulnerability impacts only Intel PCs, laptops and servers with the enabled Intel AMT feature turned on. No consumer PCs are affected–a distinction not consistently made in reporting of the vulnerability. However, Evdokimov also noted; “in our recent researches we’ve discovered some cases which allows attacks even on systems without the official AMT-support could be at risk.” He declined to elaborate.

“The vulnerability discovered is a logical vulnerability in some AMT network protocols which allows a remote attacker to take full control (log in as admin) of any AMT service the system is capable of,” Evdokimov said.

He said the vulnerability could allow an attacker to gain a remote access to AMT services such as the keyboard, video and mouse (KVM), IDE Redirection, Serial over LAN and BIOS setup and editing.

But Evdokimov points out when any of the above AMT features are activated by a third party, the activities of the attacker can’t be easily hidden from the target system user.

He said the vulnerability was discovered by Embedi researcher Maks Malyutin in mid-February. The vulnerability was disclosed to Intel on March 3.

Evdokimov noted that the logical vulnerability that Embedi found was unrelated to a flaw identified in June 2016 by a researcher who claimed that there was a remotely exploitable security hole inthe  Intel Management Engine that created a secret backdoor allowing a third party to use undetectable rootkits against Intel PCs. A number of reports, following Intel’s disclosure, made the assumption the vulnerabilities were related, he said.

“There is no relation. Actually, the researcher wrote about the “backdoor” capabilities of Intel ME subsystem (access to DRAM, out-of-band access to a network interface and other administration and control capabilities used by Intel AMT technology). It is scary to have this subsystem inside each computer system, but it is unrelated.”

Given those disclosure date of March 3, some in the research community are scratching their heads over a sharp increase in the scanning of ports 16992 or 16993, used by systems administrators to manage workstations remotely over a network.

“Intel released their advisory yesterday, yet people started scanning for 16992 or 16993 last month,” tweeted a researcher who goes by the handle x0rz.

“We cannot comment on this. It may just be a coincidence,” he said. “But this is a typical situation for all remote vulnerabilities which can be exploited through the internet. The same situation was with Heartbleed and others.”

Evdokimov practical advice for those impacted by the AMT vulnerability is simple, “just un-configure it via disabling AMT in the BIOS setup.”

As to how long system administrators will have to grapple with the fallout of this vulnerability, Evdokimov said: “Updating firmware to protect against the AMT vulnerability is not an easy process. Users don’t update firmware as rule. Vulnerable system will exist a long time after the security patch is released.”

Suggested articles