Cybersecurity , Endpoint Security , Technology

Intel's AMT Flaw: Worse Than Feared

NCR Warns ATM Motherboards Also Affected by Hijacking Flaw
Intel's AMT Flaw: Worse Than Feared

The critical Active Management Technology - AMT - flaw present in the firmware running on many Intel chips since 2010 is worse than feared, security researchers warn. In particular, the flaw can be easily exploited to allow a remote attacker to take control of vulnerable systems without even having to enter a password (see Intel Alert: Critical Security Flaw Affects Many Chipsets).

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

AMT is remote-management software installed on many vPro chipsets' firmware. While it's designed to require a username and password before it can be accessed, Maksim Malyutin, a researcher at embedded security firm Embedi, reverse-engineered the AMT code in February and found that the authentication checks can be bypassed using simple tools and only about five or 10 lines of code.

Embedi privately reported the flaw to Intel in March. On May 1, Intel issued an alert, warning that systems running AMT, Intel Standard Manageability or Small Business Tech firmware - versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5 or 11.6 - are at risk.

Source: Shodan

"The exploitation allows an attacker to get full control over a business computers, even if they are turned off - but still plugged into an outlet," according to a May 5 analysis published by Embedi. "Access to ports 16992/16993 are the only requirement to perform a successful attack."

Numerous OEMs - including Dell, HP, Fujitsu and Lenovo - report that they have shipped devices with the modern Intel Xeon processors that are vulnerable to the flaw, designated CVE-2017-5689. Automated teller machine giant NCR also says that its ATM motherboards are at risk if users have enabled AMT.

A query on internet of things search engine Shodan counts 8,500 affected devices, of which nearly 3,000 are in the United States. While those are internet-connected devices, many other vulnerable systems may be accessible via local area networks by either local users or remote attackers who gain access to a LAN.

No reports have surfaced yet that the AMT flaw has been exploited in the wild. But AMT access to a system - or any subsequent changes to that system - isn't logged by default, meaning that unless extra defenses and monitoring are in place, it would be difficult if not impossible to spot related attack attempts.

To help organizations identify vulnerable systems, Intel on May 4 released a scanning tool for the flaw. A third-party tool, available via GitHub, can also be used to disable AMT on Windows.

Intel says that consumer systems and some business systems are not affected. "This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel Server Platform Services (Intel SPS), or Intel Xeon Processor E3 and Intel Xeon Processor E5 workstations utilizing Intel SPS firmware," its security alert notes.

'Silent Bob'

Embedi has dubbed the flaw "Silent Bob is Silent" because the impacted AMT sub-systems don't require a password under certain access conditions. "Keep silence when challenged and you're in," Embedi researchers write in a May 5 teardown of the security flaw, published in coordination with Intel.

Attackers who successfully exploit the flaw can access systems as if they were administrators on the local network, the researchers warn.

Separately, researchers at security firm Tenable Network Security on May 5 also reported that they had independently identified the flaw - using Intel's barebones May 1 security alert - and verified how easy it was to exploit.

In a blog post, Tenable Reverse-Engineering Director Carlos Perez detailed how simple HTTP packet-manipulation tools could be used to feed the username "admin" and any password - or even no password at all - to an endpoint running AMT and gain remote control.

Embedi reached the same conclusion, noting that by using a proxy - or some other tool for editing the information sent by a browser to an AMT client installed on an endpoint - it could gain full access to the system. "With a little help of the local proxy at 127.0.0.1:16992, which is meant to replace the response with an empty string, we're able to manage the AMT via the regular Web browser as if we've known the *admin* password," Embedi's report states.

What's the risk? Embedi says the AMT flaw could be exploited in multiple ways, including:

  • Power up: Power the system on or off, reset the system or edit its BIOS.
  • Code execution: Remotely control the mouse, keyboard or monitor, which would give attackers the ability to remotely load or execute any program on the targeted system.
  • Boot to remote image: Remotely change the boot device, for example, to a virtual image that is remotely located and created by the attacker.

ATMs Vulnerable to AMT

Many ATMs may also be vulnerable to the AMT flaw.

"This vulnerability exists in first generation and later Intel Core processor family and Q-Series chip sets [firmware]," NCR warns in an emailed May 5 security alert. "NCR has used this technology in ATMs that were manufactured later than 2011. The PC cores in NCR ATMs shipped prior to 2011 do not have this vulnerability."

NCR's security alert says many of its motherboards include AMT 6.x, 7.x, 8.x, 9.x, 10.x or 11.x firmware, but that they're not necessarily currently at risk. "By default, NCR BIOS are set to 'disable' AMT. In addition, the version of Windows OEM that NCR configures and installs in ATMs does not include ... all necessary software needed to enable AMT."

But any ATM operators who are using AMT, or who did install a version of Windows with the full set of AMT tools on their ATM systems, are at risk, NCR says. In such cases, NCR recommends ATM operators install a forthcoming BIOS fix - in the form of a firmware update - that it plans to issue, and in the interim disable or delete AMT from all affected devices.

Deleting AMT functionality requires deleting the Intel Local Manageability Service - LMS.exe - from a system, which is required for AMT to run. "Removing LMS.exe from the ATM will prevent attackers being able to exploit this vulnerability," NCR's alert reads. "The LMS.exe binary is not part of NCR's Windows 7 OEM. However, it may be included in other Windows versions."

NCR recommends that all ATM operators assume that they are running AMT on systems - and proceed accordingly with their security response - until they prove otherwise.

Vendors Prep New Firmware

Expect a bevy of firmware updates in coming weeks from affected OEMs, including NCR. "We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software," Intel says in a May 5 security update.

Intel is maintaining its own list of affected vendors, which so far includes:

As of May 8, only Fujitsu and HP had fully tested and begun releasing updated firmware to patch the flaw. Lenovo says it plans to start related starting May 9, and Dell starting May 17, with some updates not arriving until June.

Once the firmware appears, IT departments face months of headaches in getting it tested, installed and rolled out on affected systems. "Firmware patching takes an extremely long time to test before it is deployed to all of their users," Embedi's researchers warn.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network