Critical Remote Access Vulnerability: Intel AMT backdoor


Last month (May 2017), Intel warned its customers of a vulnerability in their chips, part of “Intel Active Management Technology” (AMT) that enabled an attacker to gain remote access to PCs and devices that have Intel firmware.

Intel described it as a “critical escalation of privilege vulnerability” while independent security researchers said the “simplicity and severity” put it more in the “category of a backdoor.”

In a web-article in the SC Magazine UK, author Barth mentions that the vulnerability has been in the firmware for almost a decade, though Intel only made its presence public last month. [1]

How can attackers exploit this remote-access vulnerability?

  • an unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs
  • an unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs

SSH research Ylonen said the vulnerability “could be exploited with just five lines of Python code in a one-line shell command”[1] and further went on to state that “if your Active Directory server’s AMT port can be accessed, this is like giving every internal user Domain Administrator rights to your domains.”[1]

What is the fix?

Ylonen’s advice is to disable AMT immediately, beginning with the most critical servers in the organization. He also advises data centers block ports 16992, 16993, 16994, 16995, 623 and 664 in internal firewalls now if they can.[1]

Intel has now rolled out a fix and that affected customers check with their system OEM for updated firmware.[2]

CVE Database Entry

The “Common Vulnerabilities and Exposure” database gives it a score of 10.0 (the highest) on its CVSS (Common Vulnerability Scoring System). [3]

It also gives the following details-

Footnotes-

[1] Barth, B. (2017, May 08). Remote access bug in Intel AMT worse than we thought, says researcher. Retrieved from https://www.scmagazineuk.com/remote-access-bug-in-intel-amt-worse-than-we-thought-says-researcher/article/655543/

[2] Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege. (2017, May). Retrieved from https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

[3] Vulnerability Details : CVE-2017-5689. (n.d.). Retrieved from https://www.cvedetails.com/cve/CVE-2017-5689/