A 7-year-old flaw in Intel chips could enable hijackers to gain total control of business computers and use them for malicious purposes.
The Intel AMT (active management technology) vulnerability is the first of its kind, according to Embedi, which released technical details about it last week.
Attackers could take advantage of the flaw to get full control over business computers, even if they were turned off, provided they were plugged into an outlet, according to the firm, which makes security products for embedded and smart devices.
Intel’s AMT, which is installed on many vPro chipsets, is designed to allow computers running the chips to be accessed remotely.
“Hardware integrated management and security solutions like AMT provide powerful capabilities that can do a lot of good, like making power management more efficient and ensuring updates are installed,” said John Morello, CTO of Twistlock.
“However, they sit so low in the stack that any flaw in them effectively means the whole system is owned,” he told TechNewsWorld.
In a Botnet Soon
Although the vulnerability has existed for years, Intel is not aware of any exploitation of the flaw, said company spokesperson William Moss.
As many as 8,500 devices — 3,000 of them in the United States — are affected by the flaw and facing the Internet, according to Data Breach Today. There might be many more vulnerable devices that could be accessed and exploited by hackers even though they are not connected to the Internet.
“We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible,” Intel’s Moss said. “Consumer PCs with consumer firmware and data center servers using Intel Server Platform Services (SPS) are not affected by this vulnerability.”
The need for a firmware update to address the vulnerability is what makes the flaw dangerous, maintained Twistlock’s Morello.
“Many organizations are happily running hardware that’s no longer being serviced by the OEM, particularly when you’re talking about low-margin small business PCs and servers with short support lifecycles,” he said.
“The reality is that many of those systems will never be fixed and will forever be vulnerable,” Morello continued, “meaning there’s a high likelihood you’ll see them in a botnet near you one day soon.”
Firmware Patches Challenging
Firmware vulnerabilities can be more troublesome than other kinds of flaws, noted Morey Haber, vice president of technology for BeyondTrust.
“Patching firmware on servers is always a challenge for remote management tools, since many operating systems do not support the vendor supplied utilities to initiate them,” Haber told TechNewsWorld.
This problem affects every original equipment manufacturer that uses the solution, he said, including Dell, HP, Fujitsu and Lenovo, and they will have to test and supply the patch as well.
“Patching this fault on every server and every hypervisor will take time and cause potential outages,” Haber added. “Businesses must plan for a massive update in order to stay safe and stay compliant.”
Until the patch can be installed, those who might be at risk should turn off AMT, he recommended, especially on Windows machines, as they will likely be the first to be attacked. They also should filter AMT ports, and allow communications to them only from trusted sources. Further, they should take care to avoid exposing AMT posts to the Internet.
What can be learned from the AMT flaw?
“No software, not even firmware, is safe — and even tools that have existed for years can have critical vulnerabilities discovered that can lead to an incident, or worse, a breach,” Haber said.
Intel likely learned something about its quality and assurance procedures from this incident, observed Bobby Kuzma, a system engineer with Core Security.
“This vulnerability should have been caught by Q&A long ago,” he told TechNewsWorld. “The fact that it wasn’t should be a question that they have to reflect on for awhile.”
If Intel’s Q&A process needs tightening up, now might be the right time to do it, as firmware vulnerabilities are attracting the attention of more and more researchers.
“That tends to mean that more vulnerabilities are going to be identified,” said Todd O’Boyle, CTO of Strongarm.
“This is one in a long list of things like this we’re going to see,” he told TechNewsWorld, “so people should be prepared to deal with this again in the near future.”