Intel’s Active Management Technology (AMT), Standard Manageability (ISM), and Small Business Technology (SBT) firmware has been found to be vulnerable to escalation of privilege flaws that could lead to remote control. Intel has identified the flaws as INTEL-SA-00075.
Who Found the INTEL-SA-00075 Vulnerability?
Intel says the issues have been reported by Maksim Malyutin from Embedi. However, another security company, SemiAccurate, has a different point of view, claiming that:
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened.
SemiAccurate says that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. Even if the machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. However, this could still happen, the company warns. SemiAccurate analysis indicates that “there is literally no Intel box made in the last 9+ years that isn’t at risk”, defining the situation as “nightmarish” and “apocalyptic”.
Apparently, SemiAccurate has been aware of this vulnerability for several years, as the issue came up in research they were doing on hardware backdoors more than five years ago. What the researchers found was quite troubling, to the point that the issue literally kept them up at night. The researchers, however, could not publish their discovery for reasons obvious enough. But they still took every opportunity possible to “beg anyone who could even tangentially influence the right people to do something”. Unfortunately, with no success.
Intel, on the other hand, has made an official announcement, confirming that firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 of the software mentioned above are vulnerable and “can allow an unprivileged attacker to gain control of the manageability features provided by these products.”
The first of the flaws is located in AMT and ISM units and could enable a remote attacker to gain system privileges to provisioned chips. The second flaw could allow a local attacker to obtain unprivileged network or local system privileges on chips with AMT, ISM, and SBT, Intel says.
In addition, chips that belong to the company’s Nehalem architecture are also affected by the flaws if they run manageability firmware from versions 6-11.6.
Mitigations against INTEL-SA-00075
As written in Intel’s Mitigation guide against INTEL-SA-00075, “Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability”. When configured, Intel AMT and ISM automatically listen for management traffic over the client’s computer network, the company adds.
Systems that are vulnerable to the known privilege escalation issue should be unprovisioned using the tools used to initially configure them to prevent unauthorized access to manageability features.
SemiAccurate underlines that “this flaw is remotely exploitable only if you have AMT turned on”.
Unfortunately, “if you don’t have it turned on or provisioned the vulnerability is still exploitable locally”.
Finally, researchers at SemiAccurate strongly suspect that this vulnerability is being exploited in the wild at this very moment, meaning that the official mitigations steps should be performed immediately.