Intel AMT / ISM / SBT Firmware Vulnerability – CVE-2017-5689

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability are subject to a hole allowing an unprivileged attacker to gain control of the management features for these products. The issue was made public today via INTEL-SA-00075.

For those with AMT enabled on their systems, it can affect supported processors going back to 2008 when AMT6 debuted — thus the vulnerability covers from Nehalem to Kabylake CPUs.

More details via Intel’s security statement and have begun offering updated firmware to system providers to address the issue. Intel has also published a mitigation guide.

Remote management features that have shipped with Intel processors for almost a decade contain a critical flaw that gives attackers full control over the computers that run on vulnerable networks. That’s according to an an advisory published Monday afternoon by Intel.

Intel has released a patch for the vulnerability, which resides in the chipmaker’s Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Business customers who buy computers running vPro processors use those services to remotely administer large fleets of computers. The bug doesn’t affect chips running on consumer PCs. The chipmaker has rated the vulnerability critical and is recommending vulnerable customers install a firmware patch.

In the company’s Monday post, Intel officials wrote:

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.

There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
    • CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
    • CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s Active Management Technology, Small Business Technology, and Standard Manageability platforms. Versions before 6 or after 11.6 are not impacted.

Security experts spent much of Monday assessing the real-world threat posed by the bug. A post published earlier in the day claimed “every Intel platform from Nehalem to Kaby Lake [had] a remotely exploitable security hole” that had gone unfixed for years. Researchers who parsed Intel’s advisory, however, said the flaw could likely be exploited over the Internet only when Intel’s AMT service was enabled and provisioned inside a network.

Other researchers said the bar for unprivileged network attackers to succeed was probably even higher because Windows-based software known as Local Manageability Service would have to be running.

“It sounds like its only remotely exploitable if the LMS service is running on the affected system (even if AMT is enabled, LMS is the network vector),” HD Moore, who is vice president of research and development at Atredis Partners, told Ars. “Only servers running that service (vs. desktop PCs) with the port reachable are exposed to remote code execution.”

Moore said a query using the Shodan computer search engine detected fewer than 7,000 servers showing they had ports 16992 or 16993 open. Having those ports open is a requirement for the remote attack. That number of servers still represents a potentially substantial threat because tens of thousands of computers could be connected to some of those hosts. Enterprises that have LMS and AMT enabled in their networks should make installing the patch a priority. Those organizations that can’t immediately install updates should follow these workaround instructions.

As indicated in Intel’s advisory, a second, less-serious threat is a local privilege escalation once an attacker already has low-privilege access. While not as severe as the first scenario, this threat could still make it much easier for an attacker to take control of targeted computers inside a network. Vulnerable organizations should patch as soon as practical. Developer Matthew Garrett has more information about the vulnerability here.

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
Intel ID:INTEL-SA-00075
Product family:Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
Impact of vulnerability:Elevation of Privilege
Severity rating:Critical
Original release:May 01, 2017
Last revised:May 01, 2017
Summary:
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products.  This vulnerability does not exist on Intel-based consumer PCs.
Description:
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
    • CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
    • CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products:
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability.  Versions before 6 or after 11.6 are not impacted.
Recommendations:
Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693.  If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

Step 3: Intel highly recommends checking with your system OEM for updated firmware.  Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

Step 4: If a firmware update is not available from your OEM, mitigations for provided in this document: https://downloadcenter.intel.com/download/26754

For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support (http:[email protected]3); from the Technologies section, select Intel® Active Management Technology (Intel® AMT).

Intel manageability
firmware

Associated
CPU Generation

Resolved
Firmware

X.X.XX.3XXX

6.0.xx.xxxx

1st Gen Core

6.2.61.3535

6.1.xx.xxxx

6.2.61.3535

6.2.xx.xxxx

6.2.61.3535

7.0.xx.xxxx

2nd Gen Core

7.1.91.3272

7.1.xx.xxxx

7.1.91.3272

8.0.xx.xxxx

3rd Gen Core

8.1.71.3608

8.1.xx.xxxx

8.1.71.3608

9.0.xx.xxxx

4th Gen Core

9.1.41.3024

9.1.xx.xxxx

9.1.41.3024

9.5.xx.xxxx

9.5.61.3012

10.0.xx.xxxx

5th Gen Core

10.0.55.3000

11.0.xx.xxxx

6th Gen Core

11.0.25.3001

11.5.xx.xxxx

7th Gen Core

11.6.27.3264

11.6.xx.xxxx

11.6.27.3264

Acknowledgements:
Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.
Revision history:
Revision
Date
Description
1.0
01-May-2017
Initial Release
1.1
01-May-2017
Detection update
CVE Name:
CVE-2017-5689


Comments

comments

Leave a Reply