Updated: Intel Fixes ‘Nightmarish’ Firmware Flaw But Nobody’s Safe

In-brief: Intel issued a patch for a serious vulnerability in firmware that has shipped with its chipsets for almost nine years, but it could take months for patches to reach affected customers from OEMs. (Editor’s note: updated with analysis from Matthew Garrett. PFR May 2, 2017.)

Intel released a patch for a serious and remotely exploitable flaws in firmware that runs with chips the company has shipped since 2008, alarming security experts and prompting warnings from the U.S. Department of Homeland Security’s Computer Emergency Response Team (US CERT). But it may be months – or longer – before fixes are available for all affected Intel systems.

The flaw, which one security website described as “somewhere between nightmarish and apocalyptic” affects systems using Intel chips for the last nine years – a population of hundreds of millions of devices – that have remote management features in Intel’s Active Management Technology (AMT), Standard Manageability (ISM), and Small Business Technology enabled. A remote attacker could exploit the vulnerabilities to take control of an affected system, CERT warned on Monday.  For Intel based systems that do not have remote management features turned on, an attacker who was on the same network as a computer using the vulnerable software could leverage the same vulnerabilities to gain control over that system.

Intel released the patch on Monday along with a security advisory that describes the issue. According to the company, an escalation of privilege vulnerability in Intel  firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that runs Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology. An unprivileged attacker (for example, a non-administrative user) could gain control of the manageability features provided by these products, effectively giving them control of those systems.

The impact of the flaws is potentially vast. Effectively, every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from the company’s Nehalem release in 2008 to its Kaby Lake release in 2017 contain the remotely exploitable security hole.

Intel rated the flaws “critical” in its advisory. According to Intel, an attacker could use the flaw to gain system privileges to provisioned Intel AMT and Intel ISM installations. Also, an unprivileged local attacker could use the flaw to provision manageability features, gaining unprivileged network or local system privileges on systems running AMT, ISM and Intel SBT software.

AMT and ISM provide hardware based or “out-of-band” management of Intel based systems. The technologies are built on top of the Intel Management Engine, which is built into PCs with Intel vPro technology. They allow companies to manage computers remotely, operating below the level of the operating system. Features like security management, power management and system configuration can all be carried out using AMT.

Security experts weighing in on the flaw say there are still many unanswered questions about it, but that the impact on consumers is not likely to be big. “Merely having a ‘vPRO’ CPU and chipset isn’t sufficient,” wrote Matthew Garrett, a Google security engineer in a blog post analyzing the Intel disclosure. “Your system vendor also needs to have licensed the AMT code.” Most OEMs making consumer-grade devices  like laptops and desktops for personal use would not have done so.

Further, it is not clear whether all Intel AMT setups are affected. AMT both Small Business Mode and Enterprise Mode. While flaws that affect the former may impact some home systems, if they are limited to AMT in Enterprise Mode, “the impact on individual end-users will be basically zero,” Garrett said. “If it affects all systems, or just systems in Small Business Mode, things are likely to be worse.”

Indeed, while hundreds of millions (billions?) of computers are using affected Intel Chipsets, a search of the public Internet using Shodan reveals only 6,300 that are publicly addressable and that have the AMT technology enabled.

Though Intel has released a patch, that is just the first step in securing affected computers. In most cases, customes will need to wait for a further update from hundreds of original equipment manufacturers (OEMs) who integrated the Intel hardware and software into a finished system (laptop, desktop, server, etc.) Intel advised customers to use the company’s SCS System Discovery Utility to determine whether a given system is using a firmware version and Intel manageability product that are vulnerable.

For systems that are vulnerable, Intel “highly recommends” checking with the system OEM for updated firmware.In the absence of a OEM patch, Intel is advising customers to “unprovision” clients to “prevent unauthorized access to manageability features.” Of course, doing so will also prevent them from being managed by sanctioned IT staff, as well.

Intel said the issue was reported to the company by researcher Maksim Malyutin from the firm Embedi, though there are questions about whether the company knew about it previously. Writing for the blog Semiaccurate.com, Charlie Demerjian claims to have known about the flaw for years and to have warned Intel officers about it repeatedly during that time, to no avail. Intel in March announced its first ever bug bounty program, working with the firm HackerOne. The company offers bounties of up to $10,000 for “critical” bugs in firmware and $30,000 for critical, hardware related flaws.