For the past seven years, millions of Intel PCs have been potentially vulnerable
Intel have announced that there is a privilege escalation vulnerability in their Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) products.
These products provide remote and out of band management capabilities to Intel based computer systems that are sold under the “vPro” branding:
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.
Intel have confirmed that a remote attacker would be able to gain access to the management functions provided by the above technologies, many of these are operating system independent:
There are two ways this vulnerability may be accessed:
– An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
– An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
How bad is this?
These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with 2010’s Intel Q57 family:
it means that for the past seven years, millions of Intel workstation and server chips have hidden a security flaw that can be potentially exploited to remotely control and infect systems with spyware.
A really accurate technical analysis was published by Matthew Garrett:
Unless you’ve explicitly enabled AMT at any point, you’re probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don’t have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though…
How to fix the vulnerability?
Simply follow the four steps suggested by Intel:
- Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693.
If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.
- Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755.
If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.
- Chek with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 126.96.36.19908.
- If a firmware update is not available from your OEM you need to disable the management functions on your system, all steps are explained in this document:
The same procedure has be explained in a more simple manner in this post on Mattermedia :