Intel Identifies Critical Firmware Bug That's Lurked Nearly 10 Years
A researcher with an Internet of Things security startup recently identified a critical vulnerability in Intel firmware that could allow an attacker to access enterprise systems using Intel's Active Management Technology, Small Business Technology or Standard Manageability.
Intel published details about the vulnerability on its Security Center yesterday. The company is warning users to check with their equipment manufacturers for updated firmware or, if that's unavailable, to take steps to secure their systems.
Identified by Maksim Malyutin, a researcher with the Berkeley-based startup Embedi, the vulnerability has existed in systems released by Intel since 2010-2011. Intel noted in its security advisory that the bug does not affect any of its consumer PCs.
Firmware Patching Poses Challenges
The escalation of privilege vulnerability, CVE-2017-5689, could allow a hacker to remotely access machines running Intel's Active Management Technology (AMT) or Intel Standard Manageability (ISM). It could also enable an unauthorized user to change management features on systems running either AMT, ISM or Intel's Small Business Technology.
"The vulnerability is a serious threat and the prevention measures from exploitation is a timely process for users -- timely, but necessary," Embedi said in a blog post today. "It is also important to note the difficulties with firmware patching, which is needed to mitigate this vulnerability. Firmware patching takes an extremely long time to test before it is deployed to all of their users."
While initial reports suggested the vulnerability has existed since 2008, Embedi said the bug affects only Intel firmware that's come out since 2010 at the earliest.
In a tweet today, Embedi CTO Dmitriy Evdokimov posted a graph from the IoT device search engine Shodan showing that top organizations potentially affected by the AMT vulnerability include several universities, as well as telcos such as Verizon Wireless and Deutsche Telekom.
Working To Update 'ASAP'
Intel's Security Center advisory provides links to both a PDF guide to detect which systems might have the vulnerability, and a downloadable mitigation guide. According to the mitigation guide, "Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability."
Intel spokesperson William Moss told Kaspersky Labs' Threatpost, "We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible."
In his personal blog yesterday, Matthew Garrett, a security developer at Google, noted the vulnerability doesn't affect all Intel systems that have come out over the past few years. "Most Intel systems don't ship with AMT," Garrett said. "Most Intel systems with AMT don't have it turned on." However, users with systems that have turned on AMT should be aware of the vulnerability and take action to address it, he added.
"If a vendor is no longer providing updates then it should at least be possible for a sufficiently desperate user to pay someone else to do a firmware build with the appropriate fixes," Garrett said. "Leaving firmware updates at the whims of hardware manufacturers who will only support systems for a fraction of their useful lifespan is inevitably going to end badly."