Tuesday, May 2nd 2017
Intel Patches Remote Execution Flaw on Its CPUs - Active Since 2008
A bug in Intel's AMT (Active Management Technology), ISM (Standard Manageability) and SBT (Small Business Technology) firmware versions 6 to 11.6 sits unpatched since 2008 - a bug which allows "an unprivileged attacker to gain control of the manageability features provided by these products." Potentially, this could have led systems to be exploited for remote control and spyware infection (and maybe it did lead to that, and we just don't know about it.) Through this flaw, hackers could log into a vulnerable computer's hardware - outside the security features of the OS and any anti-virus suites - and silently install malware and other thriving pieces of malevolent coding. AMT having direct access to the computer's network hardware ensures this could have been done outside of local tampering. The vulnerable AMT service is part of Intel's vPro suite of processor features, so it's catering more to businesses and server boxes than for the usual consumer-based products - though we all know some hardware enthusiast's usage of this kind of processors in their personal rigs. If you don't have vPro or AMT present at all, you are in the clear. However, some outlets report that Intel systems are vulnerable to direct hardware access even if their AMT, ISM, or SBT implementations aren't provisioned - it's just the network access that doesn't work.
These insecure management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to this year's Kaby Lake Core parts. Luckily, this "feature", which is present in millions of Intel chips and potentially provides a "backdoor-esque" entry point to equal millions of systems, appears to be able to be addressed through a microcode update. However, this update will have to be pushed by your system manufacturer, and you can probably begin to imagine by now how such a process will linger on, and how hard it will be for this to happen to every affected system.
According to Intel, this critical security vulnerability, labeled CVE-2017-5689, was discovered and reported in March by Maksim Malyutin at Embedi. the company has issued some statements regarding this issue:
"In March 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)," a company representative said, adding that "Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible."
According to Intel, the problem manifests as such:
Sources:
The Register, TechSpot, Communities @ Intel, Intel Detection Guide
These insecure management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to this year's Kaby Lake Core parts. Luckily, this "feature", which is present in millions of Intel chips and potentially provides a "backdoor-esque" entry point to equal millions of systems, appears to be able to be addressed through a microcode update. However, this update will have to be pushed by your system manufacturer, and you can probably begin to imagine by now how such a process will linger on, and how hard it will be for this to happen to every affected system.
"In March 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)," a company representative said, adding that "Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible."
According to Intel, the problem manifests as such:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
- First-gen Core family: 6.2.61.3535
- Second-gen Core family: 7.1.91.3272
- Third-gen Core family: 8.1.71.3608
- Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
- Fifth-gen Core family: 10.0.55.3000
- Sixth-gen Core family: 11.0.25.3001
- Seventh-gen Core family: 11.6.27.3264
24 Comments on Intel Patches Remote Execution Flaw on Its CPUs - Active Since 2008
I often use that on my old boards.
EDIT.
More simple. Usual Intel ME update pack...
Do we have any media confirmed cases of this actually occurring? I don't care about "donkeylips68" saying it happened to him, I mean verified cases. Any?
After running the SCS Discovery Util I find my Z170 system is not even affected.
FWVersion: 11.0.0.1191
No worries though, I expect my 6th-gen system to get it at some point soon.
Though with it being 5-years out, I don't expect a fix for my 3rd-gen system. Will be pleasantly surprised if board manufacturers put out fixed versions outside of long-term support contracts with OEMs for early-generation boards.
LMSVersion: 11.0.0.1168
I need update. :(
IsAMTSupported: False
IsAMTEnabledInBIOS: False
But I don't think I'm vulnerable since it's disabled.
If you have to rely on your motherboard maker for a patch you might not get much joy , asus drops support so fully after a few years you'd have no chance bar UbU.
And there's my issue, the title implys intel have actually already fixed it for literally millions of PC's, they haven't its up to you to actually do it.
However, as Raevenlord pointed out, even if your platform supports the features that are vulnerable, there are two things that can be done to remove the risk. Disable Intel AMT/ISM/SBT in your BIOS settings and/or, and this one is the key point, do NOT install the Intel system management utilities. If they're already installed, uninstall them taking care to manually remove/delete any of the pertinent drivers there are left behind which should then be followed by a registry cleaning to remove any extraneous entries.
If the offending code is not present on the system, the vulnerability[whether enabled in the BIOS or not] can not be taken advantage of unless an attacker has physical access to your system. Which gives yet another very good reason to use full-drive encryption such as Truecrypt[yes, it's still safe], Veracrypt or other such OPEN SOURCE encryption utilities. Bitlocker is NOT safe, don't use it! Encrypting your drive will prevent installation of any utility or tool that might otherwise take advantage of this problem, even if they can enable it in the BIOS.
I'm not freaked out by this particular issue one bit on a personal basis, but it is disturbing to see Intel's Q&A falling so far down as of late.
EDIT; I'm not being an Intel fanboy. EVERYONE has had problems like this no matter how big or small. AMD, Samsung, Nintendo, Sony, Sega, Trendnet, Linksys and Cisco to name just a few.
*Waterboy reference
Incidentally Coreboot/Libreboot has warned against using Intel andAMD CPUs (Haha!) because of these controllers.
EDIT: recent Intel/AMD processors that is
The PDF detailing mitigation steps can be found here; downloadcenter.intel.com/download/26754/INTEL-SA-00075-Mitigation-Guide?product=23549