lolloj - Fotolia

Intel AMT security risk could lead to system access

Servers may have been at risk of attack for years because of an Intel AMT security risk that was recently disclosed before manufacturers could patch.

An unpatched issue with Intel chips has been lurking in servers for years, but the Intel AMT security risk is still somewhat unclear following disclosure of the vulnerability and publication of a mitigation technique.

The authentication bypass vulnerability affects systems using Intel Active Management Technology (AMT) and, according to Intel, "could enable a network attacker to remotely gain access to business PCs or devices that use these technologies."

At first, Intel did not release the technical details of the AMT security risk, but security researchers at Tenable Network Security contacted Intel two days after the initial disclosure with a proof-of-concept exploit. In response, Intel posted full details of the flaw, along with a discovery tool and mitigation method in order to reduce the Intel AMT security risk while OEMs worked on patches for system firmware.

Carlos Perez, director of reverse engineering for Tenable, based in Columbia, Md., noted in a blog post that Local Management Service (LMS) is required to be running in order to exploit the AMT issue, but if it was, the system could be at risk of a "complete bypass of the authentication scheme."

Erlend Oftedal, an open source developer based in Oslo, Norway, was appalled that Intel had put a web interface on AMT.

Tatu Ylonen, founder and SSH fellow at SSH Communications Security, based in Helsinki, said this Intel AMT security risk was an "extremely severe vulnerability," but the danger was somewhat lessened, because "most server management interfaces are only connected to internal networks."

"But this vastly exacerbates the risks of insider attacks and malware that has already gotten into the organization," Ylonen told SearchSecurity. "The impact of these can be extremely severe: loss of confidentiality, integrity and continuity, affecting the most critical servers and business processes."

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., told SearchSecurity that "AMT was built to make things easier for lights-out data centers and other deployments where having to lay hands on a server was difficult." So, it is unclear how many servers still have Intel AMT provisioned. Williams said he thinks the Intel AMT security risk is more dangerous "as a local privilege escalation than a remote exploit."

"While the vulnerability is trivial to exploit if the services are configured, the fact of the matter is that they are not in most of my client networks," Williams said. "If you have the services configured, that's something else entirely. In that case, you effectively have a wide-open backdoor onto the system, and you should take care of that. If AMT is provisioned, the attacker effectively has physical access -- but remotely. Remote KVM [keyboard, video and mouse] and direct memory access are probably the most concerning."

Ylonen said the Intel AMT security risk was even more concerning because "most security software and tools run on Intel hardware, [including] Active Directory, firewalls, intrusion detection, logging, SIEM [security information and event management], certificate authorities, key management, etc."

"The physical servers for private clouds are also of particular concern. The compromise puts the whole integrity of these systems in question. The attack can be used to permanently install malware on these systems. With sophisticated attackers, the malware could sit in, for example, disk drive firmware and be near impossible to detect and remove," Ylonen said. "Thus, turning off AMT immediately and upgrading firmware as soon as it is available should be a key priority for enterprises."

Williams noted that organizations should turn to a qualified professional to check for the Intel AMT security risk in order to avoid issues resulting from IT staff turnover.

"Most orgs don't need this capability. But if you disable it, it's very likely you'll need to lay hands on each machine you want to re-enable it on," Williams said. "Just like in the DOUBLEPULSAR story, network segmentation and router [access control lists (ACL)] can help limit exposure for those organizations running AMT."

Intel also suggested disabling AMT and LMS while waiting for OEM fixes. HP Inc. and Lenovo have promised firmware updates soon, while Fujitsu and Dell have already released patches.

There are concerns circulating that Intel may have known about this AMT security risk for years without disclosing, but it is unknown what was known and when.

Ylonen said if "Intel has known of this vulnerability for years, it can only be an intentional backdoor."

"This vulnerability could cause many billions of dollars of damage to enterprises if weaponized against their servers and data," Ylonen said. "The impact can also be particularly long-term if their internal cybersecurity systems are compromised as a result of this vulnerability."

However, Williams said it was likely a coding error, rather than a backdoor, and he suggested it could have been nothing more than poor communication between researchers and Intel.

"A lot of vulnerability reporting is who you talk to and how you communicate. If you can't provide easily reproducible findings, you are less likely to be taken seriously," Williams said. "I think it's more likely that the vulnerability was reported to the wrong person, who tried to communicate it to the right person, but without enough detail. This sort of thing happens pretty often."

Intel did not respond to requests for comment at the time of this post.

Next Steps

Learn how attacks can bypass ASLR protections on Intel chips.

Find out more about Intel Security's shifting channel strategy.

Get info on how to choose between replacing and upgrading servers

Dig Deeper on Network security