Intel patches remote execution that dates back to 2008

Intel has patched a remote execution big that dates back to 2008. Millions of Intel workstation and server chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.

The news reaches us today through the register who picked up on it in depth. The bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Intel , the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products:

That means it is possible for hackers to log into a vulnerable computer's hardware – right under the nose of the operating system – and silently tamper with the machine, install virtually undetectable malware, and so on, using AMT's features. This is potentially possible across the network because AMT has direct access to the computer's network hardware.

These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to this year's Kaby Lake Core parts. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the operating system, its applications and any antivirus.

The programming blunder can only be fully addressed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.

The vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the computer's AMT controls and hijack them. If AMT isn't provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If you don't have vPro or AMT present at all, you are in the clear.

Intel reckons the vulnerability affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary folks, which typically don't. You can follow this document to check if your system is vulnerable – and you should.

Basically, if you're using a machine with vPro and AMT features enabled, you are at risk. Modern Apple Macs, although they use Intel chips, do not ship with the AMT software, and are thus in the clear.

According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was discovered and reported in March by Maksim Malyutin at Embedi. To get Intel's patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, and in the meantime, try the mitigations here. These updates, although developed by Intel, must be cryptographically signed and distributed by the manufacturers. It is hoped they will be pushed out to customers within the next few weeks. They should be installed ASAP.

"In March 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)," an Intel spokesperson said.

"Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible."

Specifically, according to Intel:

• An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
• An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

Apparently, Intel's Small Business Technology is not vulnerable to privilege escalation via the network. Whether you're using AMT, ISM or SBT, the fixed firmware versions to look out for are, depending on the processor family affected:

• First-gen Core family: 6.2.61.3535
• Second-gen Core family: 7.1.91.3272
• Third-gen Core family: 8.1.71.3608
• Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
• Fifth-gen Core family: 10.0.55.3000
• Sixth-gen Core family: 11.0.25.3001
• Seventh-gen Core family: 11.6.27.3264

"The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole," explained semiconductor industry journo Charlie Demerjian earlier today.

First of all, does your system even support AMT? AMT requires a few things:

1) A supported CPU
2) A supported chipset
3) Supported network hardware
4) The ME firmware to contain the AMT firmware

Merely having a "vPRO" CPU and chipset isn't sufficient - your system vendor also needs to have licensed the AMT code. Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT.

Fixing this requires a system firmware update in order to provide new ME firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix.