Earlier this calendar week Intel announced a critical escalation of privilege bug that affects its remote administration features transportation amongst Intel Server chipsets for yesteryear seven years, which, if exploited, would allow a remote assailant to induce got command of vulnerable PCs, laptops, or servers.
The vulnerability, labeled CVE-2017-5689, affects Intel remote administration technologies, including Active Management Technology (AMT), Intel Standard Manageability (ISM), together with Intel Small Business Technology (SBT) software, versions six through 11.6.
The flaw was originally discovered yesteryear Maksim Malyutin, a fellow member of Embedi question team, inwards mid-February, who together with so responsibly disclosed it to the Intel safety team.
My previous article, published before this week, was based on the partial information shared yesteryear Maksim to The Hacker News, equally the reported Intel AMT vulnerability was highly critical together with tin last exploited remotely, Embedi held technical details until most sysadmins update their systems amongst a patched firmware.
Today, Embedi question squad has disclosed consummate technical details nigh the critical vulnerability, revealing that a remote assailant tin hijack computers powered yesteryear Intel Chipset simply yesteryear sending an empty authentication string.
To sympathise how, I induce got compiled this slice explaining:
- What is Intel AMT technology?
- Where the Intel AMT Vulnerability resides?
- How tin an assailant exploit Intel AMT Vulnerability?
What is Intel AMT technology?
Intel-based chipsets come upward amongst an embedded technology, called Intel Active Management Technology (AMT), to elevate the mightiness of information technology administrators, allowing them to remotely instruct by together with repair PCs, workstations, together with servers of their organization.
Using a web-based command panel, accessible from port 16992 together with 16993, which comes pre-installed on the chipset, an administrator tin remotely instruct by a system.
The Intel AMT Web Interface plant fifty-fifty when the scheme is turned off, equally long equally the platform is connected to a describe of piece of employment mightiness together with a network cable, equally it operates independently of the operating system.
Where the Intel AMT Vulnerability resides?
To protect Intel AMT Web Interface from unauthorized users, the service makes exercise of HTTP Digest together with Kerberos authentication.
The escalation of privilege vulnerability resides inwards the agency Intel AMT Web Interface handles user authentication over HTTP Digest protocol, which is based on a uncomplicated challenge-response paradigm.
Before going into the technical details nigh the exploitation of this vulnerability, first, y'all demand to know how the Digest authentication works.
The Digest authentication completes inwards the next steps:
- Client requests server to initiate login, together with inwards response, the server returns a randomly generated 'nonce' value, the HTTP method, together with the requested URI.
- Next, the user is prompted to instruct into his username together with password.
- Once entered, the client automobile sends an encrypted string (referred equally user_response)—generated yesteryear applying a hash portion to the entered username together with password, server-supplied nonce value, HTTP method, together with the requested URI—to the server.
- The server also calculates a similar encrypted string (referred as computed_response) using username together with password stored inwards the database together with all the other iii values.
- The server compares both the strings using the strncmp() function together with if they match, it allows the user to log into the Intel AMT Web Interface.
Syntax example:Strncmp() is a binary rubber string comparing portion that returns a negative, zero, or a positive integer depending upon whether string_1 is greater or less than string_2, together with if they are equal, it returns zero.
strncmp (string_1, string_2 , length)
—where, length parameter defines how many characters needs to last compared.
As, it’s obvious, for successful authentication, user_response variable must last equal to computed_response variable; thence the strncmp() portion must render a null value for whatever length.
But, according to the researcher, the programmers who coded this authentication procedure for Intel platform mistakenly used the length of the user_response variable inwards strncmp() function, instead of the computed_response variable for response_length parameter.
How tin an assailant exploit Intel AMT Vulnerability? (Demo)
To exploit this logical flaw inwards Intel AMT Web Interface, all an unauthorized assailant needs to practice is mail null (null) into user_response to the server.
Since the strncmp() portion is mistakenly using grapheme length of the user_response variable to authorize the user, which inwards this instance is null, the string comparing portion would last tricked into matching null together with believe that attacker's answer (user_response) is equals to the computed_response.
As both variables matched, the assailant volition last authenticated to log into the Intel AMT Web Interface together with practice whatever an authorized administrator tin do, gaining high-level privileges on the system.
Computers Can last Hacked Even If They're Turned OFF
An assailant tin also exercise Keyboard Video Mouse (KVM) feature, available within Intel AMT Web Panel, which runs at a hardware score together with allows sysadmins to remotely induce got command of the whole system, together with perform tasks like:
"[Attacker] tin remotely load, execute whatever plan to the target system, read/write whatever file (using the mutual file explorer)," the question squad wrote inwards its newspaper [PDF]. "Using IDE-R (IDE Redirection), [the attacker] tin remotely alter the kick device to another virtual icon for example."
"Using SOL (Serial over LAN), [the attacker] tin remotely mightiness on/power off/reboot/reset together with practice other actions amongst this feature. Also, it tin last used to access BIOS setup for editing," the squad added.In short, a potential assailant tin practice everything that a sysadmin tin do: he tin log into a vulnerable machine's hardware, together with silently perform malicious activities, similar tampering amongst the scheme together with installing virtually undetectable malware.
Install Firmware Update to Patch the Vulnerability NOW!
The põrnikas affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, together with 11.6 for Intel's AMT, ISM, together with SBT platforms. However, versions before six or afterward 11.6 are non impacted.
Intel has rated the vulnerability equally highly critical together with released novel firmware versions, instructions to detect if whatever workstation runs AMT, ISM, or SBT, a detection guide to cheque if your scheme is vulnerable, together with a mitigation guide for those organizations that tin non straight off install updates.
So, the Intel customers are strongly recommended to install a firmware while without wasting a unmarried second.
Also, there's a uncomplicated mitigation tool available on Github, created yesteryear Malware researcher Bart Blaze, which is based on the Mitigation Guide provided yesteryear Intel.
All an affected user has to practice is, simply download together with run DisableAMT.exe, it volition disable Intel AMT on Windows operating scheme (x86 together with x64).
