Info on Intel Flaw Followed Offer of Cash Bounty

In-brief: the disclosure of a critical flaw in remote management software by Intel followed the company’s move, in March, to begin offering cash bounties for information about software vulnerabilities, an Intel spokesman confirmed. 

The disclosure of a critical flaw in remote management software by Intel followed soon after the company’s move, in March, to begin offering cash bounties for information about software vulnerabilities, an Intel spokesman confirmed.

The bug was disclosed to Intel in March via the company’s newly launched Bug Bounty program hosted by Hackerone, Intel spokesman William Moss told The Security Ledger.  Researcher Maksim Malyutin from the firm Embedi disclosed it to the company, which issued a patch in April and disclosed the issue on Monday. The flaw affects systems that use Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT).

As reported by The Security Ledger, the flaw in the Intel firmware is serious. A remote attacker could exploit the vulnerabilities to elevate his or her permissions on an affected system, CERT warned on Monday.  For Intel based systems that do not have remote management features turned on, an attacker who was on the same network as a computer using the vulnerable software could leverage the same vulnerabilities to gain control over that system.

The actual impact of the flaw isn’t known. It almost certainly doesn’t pose a big risk of remote exploitation, but it could give attackers who already have access to a network an easy way to elevate their level of access or compromise other systems they have access to.

Intel is not aware of any exploitation of it, Moss said. The company released a patch in late April and is “cooperating with equipment manufacturers to make it available to end-users as soon as possible.”

The report is sure to be seen as evidence that bug bounty programs, which offer security researchers money in exchange for information on security holes in their products. Intel launched its public bug bounty program on March 15, offering $10,000 for information on “critical” firmware flaws and as much as $30,000 for critical flaws in Intel hardware. Moss declined to say what kind of reward Malyutin qualified for or how much he was paid.

Bounty programs, which have been around since the 1990s, have taken off with the advent of intermediary firms like HackerOne and Bugcrowd, which set up and manage the programs on behalf of customers like Intel, Microsoft, Facebook, Yahoo and others.

In April, HackerOne, which is based in San Francisco, disclosed that 800 corporate customers paid out more than $15 million in bonuses to white-hat hackers since its founding in 2012.

The programs have even gained adherents within the U.S. military. The U.S. Department of Defense launched a Hack the Pentagon program. And, in April,  the U.S. Airforce will launch its own bug bounty program, also through HackerOne, this month.

At least one researcher has claimed that the Intel flaw was known about – possibly for years – and disclosed to the company previously. Moss declined to comment on those allegations, reiterating that the firm first learned of the flaw from Malyutin in March.

Comments are closed.