Do you own an PC running with Intel Server Chipset? Recently Intel patches remote execution exploit which was hidden for past 9 years.
The RCE flaw (CVE-2017-5689) resides in the Intel’s Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.
These features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise. For the past nine years, millions of Intel workstation and server chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.
Specifically, the bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products.”
A critical remote code execution (RCE) vulnerability has been discovered in the remote management features on computers shipped with Intel processors for nearly a decade, which could allow attackers to take control of the computers remotely.
How Bad is this Vulnerability
In short, a potential attacker can log into a vulnerable machine’s hardware and silently perform malicious activities, like tampering with the machine, installing virtually undetectable malware, using AMT’s features.
The PC’s operating system never knows what’s going around because AMT has direct access to the computer’s network hardware. When AMT is enabled, any packet sent to the PC’s wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.
Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.
Apparently, Intel’s Small Business Technology is not vulnerable to privilege escalation via the network. Whether you’re using AMT, ISM or SBT, the fixed firmware versions to look out for are, depending on the processor family affected:
- First-gen Core family: 22.214.171.12435
- Second-gen Core family: 126.96.36.19972
- Third-gen Core family: 188.8.131.5208
- Fourth-gen Core family: 184.108.40.20624 and 220.127.116.1112
- Fifth-gen Core family: 10.0.55.3000
- Sixth-gen Core family: 18.104.22.16801
- Seventh-gen Core family: 22.214.171.12464
“Anyone who ever enables AMT on one of these devices will be vulnerable. That’s ignoring the fact that firmware updates are rarely flagged as security critical (they don’t generally come via Windows update), so even when updates are made available, users probably won’t know about them or install them.”