Researchers Disclose Intel AMT Flaw Research

intel graphics driver flaw

Security firm Embedi releases further details on the Intel AMT flaw, revealing how it can be exploited and how potentially dangerous it can be.

On Friday, just as Intel released additional information regarding a critical flaw found earlier this week in a subset of its business-class PCs, the researchers behind the initial vulnerability discovery, Embedi, also published their research on the flaw.

Intel warned Monday of a firmware vulnerability in certain systems that utilize its Active Management Technology (AMT) that could allow an adversary to elevate privileges on a vulnerable system. The flaw (CVE-2017-5689) could allow an attacker to remotely gain access to business PCs or devices and gain full control over systems.

In its documentation of the flaw released Friday, Embedi said the vulnerability was likely a programmer’s mistake. It dubbed the vulnerability “Silent Bob” because the impacted AMT sub-systems don’t require a password under certain access conditions. “Keep silence when challenged and you’re in,” wrote Embedi researchers.

Embedi said adversaries who can gain access to PCs with open ports 16992/16993 can easily bypass authentication. “In other words, an attacker may not have credentials and still be able to use the Intel AMT functionality. Access to ports 16992/16993 are the only requirement to perform a successful attack,” wrote Embedi researchers.

Researchers at Tenable said the attack doesn’t require much technical expertise. Using web application security tools such as Burp Suite, Tenable researchers were able confirm the vulnerability by intercepting and manipulating HTTP packets sent between a them and the AMT web server running locally on vulnerable systems.

Using specially crafted requests, Tenable was able to access to the AMT interface and gain full control over targeted PCs.

“AMT provides the ability to remotely control the computer system even if it’s powered off, but connected to the electricity and network,” Embedi wrote.

“The good news is most PCs with AMT running don’t typically expose ports 16992 and 16993 to the internet,” said Anthony Bettini, senior director of software engineering at Tenable.

According to Embedi, the date range of Intel systems affected by this vulnerability (version 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6) go from 2010 to 2011.

“We really hope by bringing this to light, it will raise awareness about security issues in firmware and avoid possible issues in the future,” warned Embedi.

For its part, Intel said it expected computer-makers to make updates available beginning the week of May 8. Computer maker HP Inc., Lenovo and Fujitsu have each announced timelines for fixing for the vulnerability. Intel has also released a downloadable discovery tool that will analyze systems for the flaw.

“Until firmware updates are available, systems administrators can take the mitigation steps detailed in the mitigation guide published under our security advisory,” Intel wrote.

Embedi was able to find the vulnerability by reverse engineering the AMT firmware and examine the communication between the AMT web server and the remote client. “The age of smart devices is advancing at a rapid pace, we hope that device and firmware developers understand the importance of security because shattering consumer’s confidence is a perilous endeavor,” it wrote.

Suggested articles