In early May, Intel began the process of making available updates to resolve 2 critical security vulnerabilities within the hardware of corporate Intel systems. Security researchers located vulnerabilities within the co-processor which has the role of a management engine and to provide further features as part of Intel’s vPro technology. vPro allows IT teams to remotely administer systems (e.g. determine a systems status regardless of its condition, power on/power off, restart etc.) and provides capabilities including secure wiping of data should the device be lost or stolen.
Why should these vulnerabilities be considered important?
As documented within Intel’s advisory: The first vulnerability allows a remote attacker to gain system level privileges (the highest privileges available)(defined) thus allowing them to make any changes they wish to the affected system. This applies to systems with Intel Active Management Technology (AMT) or Intel® Standard Manageability (ISM) enabled.
The second vulnerability allows an attacker already located within your internal/corporate network to gain network or local system privileges on affected systems. This vulnerability affects AMT and systems with Intel Small Business Technology (SBT) enabled. Definitions for AMT, ISM and SBT are available from Intel. A useful FAQ on the vulnerabilities is available here.
Vulnerable systems are very likely to be in use by many corporate organisations and small businesses. The version numbers of the affected Intel technologies are listed within US-CERTs advisory. All Intel systems which have Intel Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology enabled are vulnerable. Such systems have been in production for more than nine years.
It should be noted that only business configured devices have such enablement capabilities, the same vulnerabilities do not exist on consumer devices. However, given the increasingly blurry distinction between user and business devices, especially with concepts such as Bring your own device (BYOD)(defined) these issues can easily be widespread and will take time to address. Intel has published steps which will help to identify affected systems. A tool is also available from Intel’s download center.
For this vulnerability to be successfully exploited the Active Management Technology (AMT) must be configured to support remote administration. This tool is not configured by default.
Moreover while the above mentioned three management technologies are vulnerable, the first vulnerability can only be exploited if Active Management Technology (AMT) is provisioned. If not provisioned, the second vulnerability applies.
These vulnerabilities are particularly severe since the management engine co-processor (mentioned above) can access any memory region within an affected system without the primary Intel processor (CPU)(defined) being aware of it. The co-processor can send, receive, read/write data travelling on your network below the level at which firewalls operate thus bypassing them. The management engine can also read and write to the systems storage device (a hard drive) upon the successful authorisation of a user. The co-processor also has read and write access to the devices screen (your monitor) all while remaining undetected and unlogged (events are not captured within the logs of your operating systems making detection by SIEMs (defined) unviable).
How can I protect myself from these vulnerabilities?
Intel has created a list of affected vendors which links to their respective websites including the status of the availability of updates as well as already completed/available updates.
While the preparation of updates is in progress, the following mitigation options are available:
- Un-provisioning Intel manageability SKU (stock keeping unit) clients to mitigate unprivileged network attacker from gaining system privileges (Unprovisioning Tool v1.0)
- Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges
- Optionally configuring local manageability configuration restrictions
Unfortunately it will take time for vendors to issue updates for all affected systems. If you are in any doubt if your systems are affected, please contact them. In addition, please continue to access the list of vendor websites (provided above) to monitor when the updates to your systems become available. If due dates are instead present at this time, you can schedule a downtime window for these systems to be updated.
What is a stock keeping unit (SKU)?
It refers to a specific item stored to a specific location. The SKU is intended as the most disaggregated level when dealing with inventory (Source)