Intel's AMT Flaw: Worse Than FearedNCR Warns ATM Motherboards Also Affected by Hijacking Flaw
The critical Active Management Technology - AMT - flaw present in the firmware running on many Intel chips since 2010 is worse than feared, security researchers warn. In particular, the flaw can be easily exploited to allow a remote attacker to take control of vulnerable systems without even having to enter a password (see Intel Alert: Critical Security Flaw Affects Many Chipsets).
AMT is remote-management software installed on many vPro chipsets' firmware. While it's designed to require a username and password before it can be accessed, Maksim Malyutin, a researcher at embedded security firm Embedi, reverse-engineered the AMT code in February and found that the authentication checks can be bypassed using simple tools and only about five or 10 lines of code.
Embedi privately reported the flaw to Intel in March. On May 1, Intel issued an alert, warning that systems running AMT, Intel Standard Manageability or Small Business Tech firmware - versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5 or 11.6 - are at risk.
"The exploitation allows an attacker to get full control over a business computers, even if they are turned off - but still plugged into an outlet," according to a May 5 analysis published by Embedi. "Access to ports 16992/16993 are the only requirement to perform a successful attack."
Numerous OEMs - including Dell, HP, Fujitsu and Lenovo - report that they have shipped devices with the modern Intel Xeon processors that are vulnerable to the flaw, designated CVE-2017-5689. Automated teller machine giant NCR also says that its ATM motherboards are at risk if users have enabled AMT.
A query on internet of things search engine Shodan counts 8,500 affected devices, of which nearly 3,000 are in the United States. While those are internet-connected devices, many other vulnerable systems may be accessible via local area networks by either local users or remote attackers who gain access to a LAN.
No reports have surfaced yet that the AMT flaw has been exploited in the wild. But AMT access to a system - or any subsequent changes to that system - isn't logged by default, meaning that unless extra defenses and monitoring are in place, it would be difficult if not impossible to spot related attack attempts.
Intel says that consumer systems and some business systems are not affected. "This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel Server Platform Services (Intel SPS), or Intel Xeon Processor E3 and Intel Xeon Processor E5 workstations utilizing Intel SPS firmware," its security alert notes.
Embedi has dubbed the flaw "Silent Bob is Silent" because the impacted AMT sub-systems don't require a password under certain access conditions. "Keep silence when challenged and you're in," Embedi researchers write in a May 5 teardown of the security flaw, published in coordination with Intel.
Attackers who successfully exploit the flaw can access systems as if they were administrators on the local network, the researchers warn.
Separately, researchers at security firm Tenable Network Security on May 5 also reported that they had independently identified the flaw - using Intel's barebones May 1 security alert - and verified how easy it was to exploit.
In a blog post, Tenable Reverse-Engineering Director Carlos Perez detailed how simple HTTP packet-manipulation tools could be used to feed the username "admin" and any password - or even no password at all - to an endpoint running AMT and gain remote control.
Embedi reached the same conclusion, noting that by using a proxy - or some other tool for editing the information sent by a browser to an AMT client installed on an endpoint - it could gain full access to the system. "With a little help of the local proxy at 127.0.0.1:16992, which is meant to replace the response with an empty string, we're able to manage the AMT via the regular Web browser as if we've known the *admin* password," Embedi's report states.
What's the risk? Embedi says the AMT flaw could be exploited in multiple ways, including:
- Power up: Power the system on or off, reset the system or edit its BIOS.
- Code execution: Remotely control the mouse, keyboard or monitor, which would give attackers the ability to remotely load or execute any program on the targeted system.
- Boot to remote image: Remotely change the boot device, for example, to a virtual image that is remotely located and created by the attacker.
ATMs Vulnerable to AMT
Many ATMs may also be vulnerable to the AMT flaw.
"This vulnerability exists in first generation and later Intel Core processor family and Q-Series chip sets [firmware]," NCR warns in an emailed May 5 security alert. "NCR has used this technology in ATMs that were manufactured later than 2011. The PC cores in NCR ATMs shipped prior to 2011 do not have this vulnerability."
NCR's security alert says many of its motherboards include AMT 6.x, 7.x, 8.x, 9.x, 10.x or 11.x firmware, but that they're not necessarily currently at risk. "By default, NCR BIOS are set to 'disable' AMT. In addition, the version of Windows OEM that NCR configures and installs in ATMs does not include ... all necessary software needed to enable AMT."
But any ATM operators who are using AMT, or who did install a version of Windows with the full set of AMT tools on their ATM systems, are at risk, NCR says. In such cases, NCR recommends ATM operators install a forthcoming BIOS fix - in the form of a firmware update - that it plans to issue, and in the interim disable or delete AMT from all affected devices.
Deleting AMT functionality requires deleting the Intel Local Manageability Service - LMS.exe - from a system, which is required for AMT to run. "Removing LMS.exe from the ATM will prevent attackers being able to exploit this vulnerability," NCR's alert reads. "The LMS.exe binary is not part of NCR's Windows 7 OEM. However, it may be included in other Windows versions."
NCR recommends that all ATM operators assume that they are running AMT on systems - and proceed accordingly with their security response - until they prove otherwise.
Vendors Prep New Firmware
Expect a bevy of firmware updates in coming weeks from affected OEMs, including NCR. "We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software," Intel says in a May 5 security update.
Intel is maintaining its own list of affected vendors, which so far includes:
As of May 8, only Fujitsu and HP had fully tested and begun releasing updated firmware to patch the flaw. Lenovo says it plans to start related starting May 9, and Dell starting May 17, with some updates not arriving until June.
Once the firmware appears, IT departments face months of headaches in getting it tested, installed and rolled out on affected systems. "Firmware patching takes an extremely long time to test before it is deployed to all of their users," Embedi's researchers warn.