Intel AMT vulnerability proves even more serious

May 8, 2017 // 10:26 a.m.

Tags: #amt #carlos-perez #dell #exploit #fujitsu #hp #insecurity #intel #ism #lenovo #security #tenable #vulnerability

Security researchers have warned that a remotely-exploitable vulnerability in the Active Management Technology (AMT) feature of Intel processors going back a decade is more serious than first thought, allowing attackers to bypass authentication by sending a simple null string.

Disclosed earlier this month, the vulnerability in Intel's Active Management Technology (AMT), Small Business Technology, and Standard Manageability (ISM) platforms have been the cause of no small consternation in corporate circles. Systems with an active AMT or ISM implementation - available only when AMT-equipped CPUs are used on a compatible and licensed motherboard and software platform - could be exploited over the network, but at the time it was believed such exploitation was relatively complex. Sadly, that turns out to have not been the case: exploiting the vulnerability is as simple as sending a null string when authentication is requested, which grants immediate and complete access to the remote system.

'Drawing on past experience when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded,' explained Tenable researcher Carlos Perez of his company's discovery in a blog post. 'Next, we reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header). Authentication still worked. We had discovered a complete bypass of the authentication scheme.'

Although Intel has produced firmware patches which close the hole, it's up to hardware vendors themselves to tailor said firmware for their products and distribute the updates to customers. Thus far, HP, Lenovo, Fujitsu, and Dell have released firmware updates for supported devices - though end-of-life products are likely to remain vulnerable - while Intel itself has released a vulnerability scanner for detecting whether a system is affected by the flaw.
Discuss this in the forums