Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

BIZ & IT TECH SCIENCE

SIGN
POLICY CARS SUBSCRIPTIONS
IN
GAMING & CULTURE FORUMS
BIZ & IT —

Intel patches
remote hijacking
vulnerability that
lurked in chips for
7 years
Flaw in remote management feature gives
attackers a way to breach networks.
DAN GOODIN - 5/2/2017, 1:55 AM
Intel

Enlarge

Remote management features that

have shipped with Intel processors
since 2010 contain a critical flaw
that gives attackers full control
over the computers that run on
vulnerable networks, according to
advisories published by Intel and

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 1 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

the researcher credited with

discovering the critical flaw.

Intel has released a patch for the

vulnerability, which resides in the
chipmaker's Active Management
Technology, Intel Small Business
Technology, and Intel Standard
Manageability. Business customers
who buy computers running vPro
processors use those services to
remotely administer large fleets of
computers. The bug doesn't affect
chips running on consumer PCs.
The chipmaker has rated the
vulnerability critical and is
recommending vulnerable
customers install a firmware patch.

In the company's Monday post,

Intel officials wrote:

There is an escalation of
privilege vulnerability in
Intel® Active Management
Technology (AMT), Intel®
Standard Manageability
(ISM), and Intel® Small
Business Technology
versions firmware versions
6.x, 7.x, 8.x 9.x, 10.x, 11.0,
11.5, and 11.6 that can
allow an unprivileged
attacker to gain control of
the manageability features
provided by these
products. This
vulnerability does not exist
on Intel-based consumer
PCs.

There are two ways this

vulnerability may be
accessed please note that
Intel® Small Business

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 2 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

Technology is not
vulnerable to the first
issue.

An unprivileged
network attacker
could gain system
privileges to
provisioned Intel
manageability SKUs:
Intel® Active
Management
Technology (AMT)
and Intel® Standard
Manageability (ISM).
CVSSv3 9.8
Critical
/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local
attacker could
provision
manageability
features gaining
unprivileged
network or local
system privileges on
Intel manageability
SKUs: Intel® Active
Management
Technology (AMT),
Intel® Standard
Manageability (ISM),
and Intel® Small
Business Technology
(SBT).
CVSSv3 8.4
High
/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The flaw affects Intel manageability

firmware versions 6.x, 7.x, 8.x 9.x,
10.x, 11.0, 11.5, and 11.6 for Intel's
Active Management Technology,
Small Business Technology, and

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 3 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

Standard Manageability platforms.

Versions before 6 or after 11.6 are
not impacted.

Security experts spent much of

Monday assessing the real-world
threat posed by the bug. A post
published earlier in the day
claimed "every Intel platform from
Nehalem to Kaby Lake [had] a
remotely exploitable security hole"
that had gone unfixed for years.
Researchers who parsed Intel's
advisory, however, said the flaw
could likely be exploited over the
Internet only when Intel's AMT
service was enabled and
provisioned inside a network.

Other researchers said the bar for

unprivileged network attackers to
succeed was probably lower
because Windows-based software
known as Local Manageability
Service exposes the vulnerable
AMT service through the operating
system's IP address as well.

"This issue is remotely exploitable

through the host operating
system's IP address if the LMS
service is running," HD Moore, who
is vice president of research and
development at Atredis Partners,
told Ars. "Servers with TCP ports
16992 or 16993 exposed and AMT
activated would be exploitable
through either the AMT's
independent IP address, or in the
case of LMS being enabled, the
host operating systems' IP address.
An attacker with access to the
ports and knowledge of the
vulnerability could obtain the
equivalent of authenticated access
to the AMT web interface, which in

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 4 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

turn can lead to arbitrary code

execution on the operating
system."

Moore said a query using the

Shodan computer search engine
detected fewer than 7,000 servers
showing they had ports 16992 or
16993 open. Having those ports
open is a requirement for the
remote attack. That number of
servers still represents a potentially
substantial threat because tens of
thousands of computers could be
connected to some of those hosts.
Enterprises that have LMS and AMT
enabled in their networks should
make installing the patch a priority.
Those organizations that can't
immediately install updates should
follow these workaround
instructions.
HD Moore

Enlarge

Unprivileged network access

attacks can also be carried out
when TCP port 623 is open on a
machine. At the moment, Shodan
wasn't showing any data for that
port. The above-linked blog post
from Embedi, the security firm
credited with discovering the
vulnerability, said: "There is also a
chance of attacks performed on
Intel systems without Intel AMT
support."

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 5 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

The flaws in the Intel Management

Engine—the technology that
encompasses Active Management
Technology, Intel Small Business
Technology, and Intel Standard
Manageability—makes it possible
for attackers to log into a
vulnerable machine's hardware
and surreptitiously exercise the
same control enjoyed by
administrators, including installing
new programs. The access isn't
logged by the PC because AMT has
direct access to the computer's
network hardware. When AMT is
enabled, all network packets are
redirected to the PC's ME and from
there to the AM. The packets
bypass the OS completely. The
vulnerable management features
were made available in some but
not all Intel chipsets starting in
2010, Embedi said.

As indicated in Intel's advisory, a

second, less serious threat is a
local privilege escalation once an
attacker already has low-privilege
access. While not as severe as the
first scenario, this threat could still
make it much easier for an attacker
to take control of targeted
computers inside a network.
Vulnerable organizations should
patch as soon as practical.
Developer Matthew Garrett has
more information about the
vulnerability here.

This post was updated on 5/2/2017,

8:15 AM California time to correct
details about requirements for
exploitation. It was updated several
times later the same day to add
newly available details.

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 6 van 8

Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

Promoted
Comments
M@yeulC / Smack-Fu JUMP TO
Master, in training
POST

And this is EXACTLY why we

don't want some obscure
coprocessor running at ring -2
or more privileged.

AMD has a similar "feature" in

its processors (PSP), and was
considering letting users
disable it, but I don't know
where they are at the moment.
You can disable Intel ME by
stripping its firmware from the
CPU microcode, though.

82 posts | registered 7/21/2015

DAN GOODIN
Dan is the Security Editor at
Ars Technica, which he joined
in 2012 after working for The
Register, the Associated
Press, Bloomberg News, and
other publications.

EMAIL
dan.goodin@arstechnica.com
// TWITTER @dangoodin001

READER COMMENTS SHARE THIS STORY

← PREVIOUS STORY NEXT STORY →

Related Stories
https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 7 van 8
Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica 24-02-18 11(24

Related Stories
Today on Ars

RSS FEEDS CONTACT US

VIEW MOBILE SITE STAFF
ABOUT US ADVERTISE WITH US
SUBSCRIBE REPRINTS

CNMN Collection
WIRED Media Group
Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars
Technica Addendum (effective 5/17/2012). View our Affiliate Link Policy. Your California Privacy Rights. The material on this site
may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé
Nast.

https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Pagina 8 van 8