Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Exploitable Details of Intel’s ‘Apocalyptic’ AMT Firmware Vulnerability Disclosed

Details of the Intel AMT firmware vulnerability announced on May 1, 2017 are now public knowledge; and the suggestion that ‘this is somewhere between nightmarish and apocalyptic’ has been proven correct.

Details of the Intel AMT firmware vulnerability announced on May 1, 2017 are now public knowledge; and the suggestion that ‘this is somewhere between nightmarish and apocalyptic’ has been proven correct.

One day after Intel’s alert, Embedi (the firm that discovered the vulnerability back in February this year) published a brief note. One particular sentence stood out to researchers at Tenable: “With 100 percent certainty it is not an RCE but rather a logical vulnerability.”

This persuaded Tenable to look at ‘authentication’ as the possible basis for a logical flaw that allows remote access. Within one day it discovered the flaw by trial and error — and experience.

“Drawing on past experience,” explains Carlos Perez, Tenable’s director of reverse engineering in a blog post last Friday, “when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded!”

Further tests showed that a NULL/empty response hash (response=”” in the HTTP Authorization header) still worked. “We had discovered a complete bypass of the authentication scheme.”

Tenable asked Intel if this was the flaw in question. Intel said it was, and asked Tenable to delay publication until the end of the day on Thursday Pacific time (effectively Friday). This gave Embedi (the original finder of the flaw) time to simultaneously publish its own findings on Friday.

If Tenable could find the flaw within a single day, blackhats could do the same. The time for obfuscation had passed. While Tenable had found the flaw, Embedi’s whitepaper (PDF), also published Friday, explains it.

Embedi had been looking into AMT and its admin account that is present by default and always uses digest authentication. By reverse engineering the firmware it discovered, “The value of the computed response, which is the first argument, is being tested against the one that is provided by user, which is the second argument, while the third argument is the length of the response. It seems quite obvious that the third argument of strncmp() should be the length of computed_response, but the address of the stack variable response_length, from where the length is to be loaded, actually points to the length of the user_response!”

Advertisement. Scroll to continue reading.

In short, it explains, “Given an empty string the strncmp() evaluates to zero thus accepting an invalid response as a valid one.”

Armed with this knowledge, any attacker could get admin control over AMT. It is the power of AMT that makes the vulnerability so severe. “First of all,” explains Embedi, “you should remember that Intel AMT provides the ability to remotely control the computer system even if it’s powered off (but connected to the electricity mains and network).” Furthermore, it is completely independent of the installed operating system. No traditional security defense could even see, let own prevent, anything done through AMT.

Embedi describes some of the possible attack scenarios. These include, remote load and install of any file onto the target system; read any file; remotely change the boot device to some other virtual image; remotely power on/power off/reboot/reset and do other actions; and even edit the BIOS setup.

The situation now is that any business PC that uses AMT, ISM or SBT that has not received the Intel firmware patch, is vulnerable to a silent, unpreventable, major attack — and details of how to perform the attack are public knowledge. Several PC vendors have started rolling out the new Intel firmware (DellHPLenovoFujitsu) — but some older and boutique PCs may never receive the patch.

On Friday, May 5, 2017, Intel issued an update to its original alert. It reiterates its original recommendations. Intel users should first determine whether they are vulnerable (that is, if the devices incorporate AMT, ISM or SBT), and then take the mitigation steps already published. But note, it adds, “capabilities and features provided by AMT, ISM and SBT will be made unavailable by these mitigations.” 

Intel has also released a discovery tool, which will analyze systems to see if the vulnerability is present.

What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option. 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.