Intel Warns of Active Management Technology Vulnerability

A newly reported privilege escalation flaw could enable an attacker to take administrative control of systems managed with Intel's firmware-based management technology.

vulnerability

Intel issued a critical security advisory on May 1, warning of a privilege escalation vulnerability that impacts the Intel Active Management Technology (AMT), Intel Standard Manageability and Intel Small Business Technology management technologies.

AMT is an Intel technology that enables organizations to manage and maintain systems. Intel warned in its advisory that if left unpatched, an attacker could potentially exploit the vulnerability, identified as CVE-2017-5689, to gain management control. There is a firmware update available to fix the issue, though not every system manufacturer has the update available for users. Intel has also published a four-page guide on how to mitigate the issue.

Intel credited security firm Embedi with disclosing the issue. According to Embedi, the CVE-2017-5689 issue only impacts Intel systems made since 2010 and not 2008, as some media outlets have reported. Embedi CTO Dmitriy Evdokimov told eWEEK that his firm reported the vulnerability via the Intel bug bounty program. Embedi was able to discover the vulnerability though reverse engineering the Intel firmware and performing static analysis, he said.

"A static analysis is just checking the code for vulnerabilities outside of its environment," Evdokimov said. "After we discovered this vulnerability, we then tested it in a dynamic environment to see this was still exploitable—it was."

Evdokimov added that there are a variety of attack vectors that enable hackers to exploit the CVE-2017-5689 vulnerability.  

"One of them is a remote attacker without privileges in the system, which can completely compromise Intel's AMT service," he said.

Security experts contacted by eWEEK were not surprised by the Intel management vulnerability.

"It's not surprising to see yet another piece of technology with a vulnerability; security is hard," Georgia Weidman, founder and CTO of Shevirah, told eWEEK. "No one seems to have made a useful piece of technology that is completely free of bugs."

It's also important to note that the CVE-2017-5689 issue is not actually a remote code execution vulnerability; rather it is a privilege escalation vulnerability.

"This means that with the exploit, a standard user in this system can become an administrative user," Jason Kent, CTO at AsTech, told eWEEK. "However, since these products are used to manage, diagnose and repair PCs under their control, it's possible to use this escalation to run any software on the machines under its control."

Kent recommends that beyond just patching, users should watch for attempted logins from normal user accounts onto the Intel platform.  

"Deactivate or delete old user accounts, perform a forced password reset on all accounts, and enable logging and setup triggers for attempted privilege escalations," Kent said.

Peter Tran, general manager and senior director at RSA, a Dell Technologies business, also said that patching alone isn't good enough.

"Firmware security is one of the most overlooked areas and going beyond the basics, organizations should be driving behavioral analytics between out-of-band (hardware) and in-band (software) security anomalies," Tran told eWEEK. "The bottom line is that the right hand needs to know what the left hand is doing and short of that, security blind spots will always occur."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.