Chipmaker Intel has issued a security alert for a flaw that has existed in many of its non-consumer chipsets for a decade. The flaw could be exploited by attackers, using Intel’s own remote-management tools, to install malware on devices and breach enterprise networks.
“There is an escalation of privilege vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology versions … that can allow an unprivileged attacker to gain control of the manageability features provided by these products,” Intel says in a May 1 security alert.
Intel says firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 are affected, but that chips running firmware versions prior to 6 and after 11.6 do not have the vulnerability. It also notes that “this vulnerability does not exist on Intel-based consumer PCs.”
Intel has rated the flaw – designated CVE-2017-5689 – as “critical” and recommends all business customers immediately assess whether they have devices with the vulnerable vPro processors and if so, patch them immediately.
Devices with vulnerable firmware may have one of the following badges on their box.
Some security experts recommend immediately decommissioning any vulnerable devices for which an OEM patch is not yet available. “If your system is 10 years old or newer it is likely exploitable, check for patches daily and install all patches immediately,” security researcher Charlie Demerjian, says in a blog post. “If there is no patch, back up data and replace.”
Intel has issued related fixes, but in many cases it will now be up to OEMs to incorporate those patches into firmware and get it into customers’ hands.
“Intel released an update on April 25, and advises that the system or system board manufacturers should be releasing their firmware versions to affected customers,” security experts Richard Porter and Rob VandenBrink say in a SANS Internet Storm Center alert. “That is, if your vendor releases a patch for your system – there are a lot of older computers out there – and newer ones too – that will likely never see this update!”
Intel said the flaw was discovered and reported to it privately in March by security researcher Maksim Malyutin at Embedi. Intel said the researcher helped it via a coordinated disclosure campaign, which refers to a researcher not releasing details of their discovery publicly until related patches begin to get issued.
The flaw now joins the likes of Bash, Heartbleed, Logjam, Poodle and Shellshock, in that it’s persisted for years before coming to light, at least publicly. Of course, the flaw still could have already been discovered and quietly exploited by someone else, such as an intelligence service (see Zero-Day Facts of Life Revealed in RAND Study).