Red alert! Intel patches remote execution hole that's been hidden in chips since 2010

Vuln reported in March, now fix is coming...


Updated For the past seven years, millions of Intel chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.

Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products."

That means it is possible for hackers to log into a vulnerable computer's hardware – right under the nose of the operating system – and silently tamper with the machine, install virtually undetectable malware, and so on, using AMT's features. This is potentially possible across the network because AMT has direct access to the computer's network hardware.

These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with 2010's Intel Q57 family, all the way up to this year's Kaby Lake Core parts. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the operating system, its applications and any antivirus.

The programming blunder can only be fully addressed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.

The vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the computer's AMT controls and hijack them. If AMT isn't provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If you don't have vPro or AMT present at all, you are in the clear.

Intel reckons the vulnerability affects business and some server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary folks, which typically don't. You can follow this document to check if your system is vulnerable – and you should.

Basically, if you're using a machine with vPro and AMT features enabled, you are at risk. Modern Apple Macs, although they use Intel chips, do not ship with the AMT software, and are thus in the clear.

According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was discovered and reported in March by Maksim Malyutin at Embedi. To get Intel's patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, and in the meantime, try the mitigations here. These updates, although developed by Intel, must be cryptographically signed and distributed by the manufacturers. It is hoped they will be pushed out to customers within the next few weeks. They should be installed ASAP.

"In March 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)," an Intel spokesperson told The Register.

"Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible."

Specifically, according to Intel:

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

Apparently, Intel's Small Business Technology is not vulnerable to privilege escalation via the network. Whether you're using AMT, ISM or SBT, the fixed firmware versions to look out for are, depending on the processor family affected:

  • First-gen Core family: 6.2.61.3535
  • Second-gen Core family: 7.1.91.3272
  • Third-gen Core family: 8.1.71.3608
  • Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
  • Fifth-gen Core family: 10.0.55.3000
  • Sixth-gen Core family: 11.0.25.3001
  • Seventh-gen Core family: 11.6.27.3264

Judging from Intel's statement, It's now up to computer makers to distribute the digitally signed firmware patches for people and IT admins to install. That means if your hardware supplier is a big name like Dell, one of the HPs, or Lenovo, you'll hopefully get an update shortly. If it's a no-name white box slinger, you're likely screwed: things like security and cryptography and firmware distribution is too much hard work in this low-margin business. You may never get the patches you need, in other words.

What is AMT?

AMT is an out-of-band management tool accessed via network port 16992 to the machine's wired Ethernet interface: it lays bare complete control of a system to the network, allowing IT bods and other sysadmins to reboot, repair and tweak boxes remotely. It can provide a virtual serial console or full-blown remote desktop access via VNC. God help you if this service is exposed to the public internet.

It is supposed to require a password before granting access, but the above bug means an attacker can waltz up to the hardware's control panel, unauthenticated. Even if you've firewalled off your systems' AMT access from the outer world, someone or malware within your network – say on a reception desk PC – can potentially exploit this latest vulnerability to drill deep into AMT-managed workstations and small servers, and further compromise your business.

AMT is software that runs on Intel's Management Engine (ME), a technology that has been embedded in its chipsets in one way or another for over a decade, since around the time the Core 2 landed in 2006. It operates at what's called ring -2, below the operating system kernel, and below any hypervisor on the box. It is basically a second computer within your computer, and it has full access to the network, peripherals, memory, storage and processors. Amusingly, early engines were powered by an ARC CPU core, which has a 16- and 32-bit hybrid architecture, and is a close relative to the Super FX chip used in Super Nintendo games such as Star Fox. Yes, the custom chip doing the 3D math in Star Fox and Stunt Race FX is an ancestor of the ARC microprocessor secretly and silently controlling your Intel x86 tin. These days, the Management Engine uses a SPARC core.

Details of Intel's ME have been trickling out into the open over the past few years: Igor Skochinsky gave a super talk in 2014 about it, for instance. The ARC core runs a ThreadX RTOS from SPI flash. It has direct access to the Ethernet controller. These days it is built into the Platform Controller Hub, an Intel microchip that contains various hardware controllers and is connected to the main processors on the motherboard.

The ME is a black box that Intel doesn't like to talk about too much, although it is partially documented on Chipzilla's website. It freaks out privacy and security conscious people: no one quite knows what the engine is really doing, and if it can be truly disabled, as it runs so close to the bare metal in computers.

On some Intel chip families, you can kill the ME with extreme prejudice by strategically wiping parts of the motherboard flash.

For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel's AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.

Finding a bug like this is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password "hackme", in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers.

Is a big deal? "Yes," said Linux kernel guru Matthew Garrett, who posted some more technical information about the vulnerability, here.

"Fixing this requires a system firmware update in order to provide new ME firmware, including an updated copy of the AMT code. Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix.

"Anyone who ever enables AMT on one of these devices will be vulnerable. That's ignoring the fact that firmware updates are rarely flagged as security critical (they don't generally come via Windows update), so even when updates are made available, users probably won't know about them or install them." ®

Updated to add

Embedi, whose security researcher found and reported the flaw, has shed some more light on the bug, such as clarifying the flaw has been present in Intel's chipsets since 2010.

Similar topics

Broader topics


Other stories you might like

  • Linux Foundation thinks it can get you interested in smartNICs
    Step one: Make them easier to program

    The Linux Foundation wants to make data processing units (DPUs) easier to deploy, with the launch of the Open Programmable Infrastructure (OPI) project this week.

    The program has already garnered support from several leading chipmakers, systems builders, and software vendors – Nvidia, Intel, Marvell, F5, Keysight, Dell Tech, and Red Hat to name a few – and promises to build an open ecosystem of common software frameworks that can run on any DPU or smartNIC.

    SmartNICs, DPUs, IPUs – whatever you prefer to call them – have been used in cloud and hyperscale datacenters for years now. The devices typically feature onboard networking in a PCIe card form factor and are designed to offload and accelerate I/O-intensive processes and virtualization functions that would otherwise consume valuable host CPU resources.

    Continue reading
  • AMD to end Threadripper Pro 5000 drought for non-Lenovo PCs
    As the House of Zen kills off consumer-friendly non-Pro TR chips

    A drought of AMD's latest Threadripper workstation processors is finally coming to an end for PC makers who faced shortages earlier this year all while Hong Kong giant Lenovo enjoyed an exclusive supply of the chips.

    AMD announced on Monday it will expand availability of its Ryzen Threadripper Pro 5000 CPUs to "leading" system integrators in July and to DIY builders through retailers later this year. This announcement came nearly two weeks after Dell announced it would release a workstation with Threadripper Pro 5000 in the summer.

    The coming wave of Threadripper Pro 5000 workstations will mark an end to the exclusivity window Lenovo had with the high-performance chips since they launched in April.

    Continue reading
  • Qualcomm wins EU court battle against $1b antitrust fine
    Another setback for competition watchdog as ruling over exclusive chip deal with iPhone nullified

    The European Commission's competition enforcer is being handed another defeat, with the EU General Court nullifying a $1.04 billion (€997 million) antitrust fine against Qualcomm.

    The decision to reverse the fine is directed at the body's competition team, headed by Danish politico Margrethe Vestager, which the General Court said made "a number of procedural irregularities [which] affected Qualcomm's rights of defense and invalidate the Commission's analysis" of Qualcomm's conduct. 

    At issue in the original case was a series of payments Qualcomm made to Apple between 2011 and 2016, which the competition enforcer had claimed were made in order to guarantee the iPhone maker exclusively used Qualcomm chips.

    Continue reading
  • Intel says Sapphire Rapids CPU delay will help AMD catch up
    Our window to have leading server chips again is narrowing, exec admits

    While Intel has bagged Nvidia as a marquee customer for its next-generation Xeon Scalable processor, the x86 giant has admitted that a broader rollout of the server chip has been delayed to later this year.

    Sandra Rivera, Intel's datacenter boss, confirmed the delay of the Xeon processor, code-named Sapphire Rapids, in a Tuesday panel discussion at the BofA Securities 2022 Global Technology Conference. Earlier that day at the same event, Nvidia's CEO disclosed that the GPU giant would use Sapphire Rapids, and not AMD's upcoming Genoa chip, for its flagship DGX H100 system, a reversal from its last-generation machine.

    Intel has been hyping up Sapphire Rapids as a next-generation Xeon CPU that will help the chipmaker become more competitive after falling behind AMD in technology over the past few years. In fact, Intel hopes it will beat AMD's next-generation Epyc chip, Genoa, to the market with industry-first support for new technologies such as DDR5, PCIe Gen 5 and Compute Express Link.

    Continue reading

Biting the hand that feeds IT © 1998–2022