Remote management features that have shipped with Intel processors for almost a decade contain a critical flaw that gives attackers full control over the computers that run on vulnerable networks. That’s according to an advisory published Monday afternoon by Intel.
Specifically, the bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products.”
That means it is possible for hackers to log into a vulnerable computer’s hardware – right under the nose of the operating system – and silently tamper with the machine, install virtually undetectable malware, and so on, using AMT’s features. This is potentially possible across the network because AMT has direct access to the computer’s network hardware.
The remote management features allow system administrators to remotely manage computers over an enterprise network. Such kind of features are implemented only in enterprise solutions and doesn’t affect chips running on Intel-based consumer PCs.
The flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s Active Management Technology, Small Business Technology, and Standard Manageability platforms. Versions before 6 or after 11.6 are not impacted.
Intel has released a patch for the vulnerability, which resides in the chipmaker’s Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Business customers who buy computers running vPro processors use those services to remotely administer large fleets of computers. The vulnerable AMT service is part of Intel’s vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the computer’s AMT controls and hijack them. If AMT isn’t provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If you don’t have vPro or AMT present at all, you are in the clear.
According to the Intel advisory, the vulnerability could be exploited in two ways:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.
How bad is this
Potential hackers can log into a vulnerable computer’s hardware – right under the nose of the operating system – and silently tamper with the machine, install virtually undetectable malware, and so on, using AMT’s features. This is potentially possible across the network because AMT has direct access to the computer’s network hardware. When AMT is enabled, any packet sent to the PC’s wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.
Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk. Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.
How do I know if I have it enabled?
Yeah, this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:
- A supported CPU
- A supported chipset
- Supported network hardware
- The ME firmware to contain the AMT firmware
Merely having a “vPRO” CPU and chipset isn’t sufficient – your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn’t show a communication controller with “MEI” or “HECI” in the description, AMT isn’t running and you’re safe. If it does show an MEI controller, that still doesn’t mean you’re vulnerable – AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.
How to Patch
The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.
Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.
The chipmaker is recommending vulnerable customers install a firmware patch as soon as possible.