Intel’s security team released a series of patches yesterday that fix a remote code execution (RCE) bug found in the Intel Management Engine (ME).
The RCE bug affects Intel ME technologies such as Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
All of these are technologies that allow a systems administrator to manage workstations remotely over a network, via ports 16992 or 16993. These features are not found in consumer-grade CPUs, but only in enterprise solutions, and mostly in server chipsets.
Intel server chipsets released in the last nine years are affected
The issue, tracked as CVE-2017-5689, was discovered by security researcher Maksim Malyutin of Embedi in March, and affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6. Versions before 6 or after 11.6 are not impacted.
Yesterday, Intel released a security advisory regarding the issue, new firmware versions, instructions to detect if any workstations run AMT / ISM / SBT technology, and a detection guide to assess if systems are running vulnerable versions.
The last part shouldn’t be that hard, since the flaw appears to impact all server CPU versions released in the past nine years, since 2008.
CPUs not vulnerable in default state
The positive part is that none of these features come enabled by default, and a sysadmin must first enable the services on their local network.
If enabled, Intel says that an attacker could exploit the AMT and ISM platform over a network. SBT is not vulnerable to network attacks.
If the vulnerable server/workstation is exposed online, an attacker could use ports 16992 or 16993 to deliver his attack. The vulnerability has a score of 9.3 out of 10 in terms of severity.
If the AMT / ISM / SBT technologies aren’t provisioned over the local network but enabled on the local machine, a local unprivileged attacker could still exploit the system for kernel-level access, but this requires tricking a user into executing a local payload.
Intel recommends that users check with their OEM for updated firmware, but in the case the OEM hasn’t yet released a firmware fix, Intel is providing its own firmware update as a last resort.
Update [May 2, 2017]: A security researcher that goes by x0rz has noticed that people started scanning for ports 16992 or 16993 a month before Intel released its firmware update, which means details about the vulnerability had leaked prior to the company’s security alert. At the time of writing, there are over 6,300 devices with the ATM interface exposed online.