Updated: Since the below-reported vulnerability is highly critical and it would take a few weeks for sysadmins to protect their enterprise network, the research team has not yet disclosed the technical details of the vulnerability.
Meanwhile, I have talked with Maksim Malyutin, a member of Embedi research team who discovered the vulnerability in March, and updated my article based on the information provided by him.
A critical vulnerability has been discovered in the remote management features on computers shipped with Intel processors for past seven years (and not decade), which could allow attackers to take control of the computers remotely, affecting all Intel systems, including PC, laptops, and servers, with AMT feature enabled.
As reported earlier, this critical flaw (CVE-2017-5689) is not a remote code execution, rather Malyutin confirmed to The Hacker News that it’s a logical vulnerability that also gives remote attackers an opportunity to exploit this bug using additional tactics.
This elevation of privilege bug resides in the Intel Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.
These remote management features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise.
Since these functions are present only in enterprise solutions, and mostly in server chipsets, Intel claims that the vulnerability doesn’t affect chips running on Intel-based consumer PCs.
But Malyutin told us that “Intel-based consumer PCs with official support of Intel vPro (and have Intel AMT feature enabled) could also be at risk,” and “there is also a chance of attacks performed on Intel systems without official Intel AMT support.”
According to the Intel advisory, the vulnerability could be exploited in two ways:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.
The PC’s operating system never knows what’s going around because AMT has direct access to the computer’s network hardware. When AMT is enabled, any packet sent to the PC’s wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.
Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.