A vulnerability in Intel’s Active Management Technology (AMT) feature of Intel processors appears relatively easy to abusive.
A remote control authentication screen can be bypassed using a blank string through a proxy server. AMT lets sysadmins perform powerful tasks over a remote connection.
For a successful attack on Intel vPro processors that have AMT enabled, access to ports 16992 and 16993 is required, Embedi reports. Embedi is the security company that originally announced the leak on the 5th of May.
Remote management for AMT is via a webpanel that uses an administrative account. Authentication is passed via digest authentication. However, a software error was detected when checking the firmware; The web server also accepted the input of an empty string for authentication. Security company Tenable came to the same conclusion and reports that a section of the correct response hash is sufficient for authentication.
This does not mean that an empty input field of the browser is sufficient for authentication, since digest authentication will cause the browser to still send a 32-character hash. In other words, when entering an empty password on the web panel through the browser, access is not granted. The method only works if a blank string on the web server is entered via port 16992 and 16993 via a proxy such as Burp Suite.
The companies emphasize that systems can be controlled remotely, even when they are off but still connected to the power-grid and the internet. They also claim that attackers can remove or replace entire operating systems as AMT runs independently of the OS. Attackers can take over mouse, keyboard and monitor, adjust the boat device, approach the bios and turn off and turn on remote systems, explains Embedi.
Last week, Intel announced vulnerability CVE-2017-5689 in Active Management Technology, Intel Standard Manageability and Intel Small Business Technology. The leak is in the 6.x firmware versions of the Nehalem generation of processors to version 11.6 of Kaby Lake processors. The vulnerable management features are part of Intel’s vPro platform for business processors. Intel’s consumer chips are not affected.
How to test if your systems are vulnerable
Dell has now announced patches for various OptiPlex, Latitude and Precision systems. As of May 17, the first bios updates will be available, via Dell’s support site.
The NMAP script below detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).
INTEL-SA-00075 Detection Guide (Windows only) will step you through multiple processes to detect INTEL-SA-00075.