Intel chip vulnerability sends corporate cyber teams scrambling
Corporate IT departments across the globe were scrambling Tuesday to figure out if their networks were hit by a vulnerability in Intel processors that opened the chips up to hackers.
Intel announced the existence of vulnerability CVE-2017-5689 in its Active Management Technology, or AMT, firmware on Monday, saying it had not been exploited in the wild.
“An unprivileged network attacker could gain system privileges,” by remotely exploiting the vulnerability, the company said, revealing that it impacted chips shipped since 2008, but not ones used in consumer personal computers.
“Yes, this is terrifying,” wrote security researcher Matthew Garrett on his blog.
If hackers learned how to exploit the vulnerability — which Intel rated “critical”— they would have access to the powerful features of AMT, a technology designed to let the IT department of a company remotely manage large numbers of computers.
“AMT provides a web [user interface] that allows you to do things like reboot a machine, provide remote install media or even… get a remote console,” explained Garrett.
Importantly, these “out of band” management tools work on the computer below the level of the operating system — completely out of view of any security software or anti-malware protection.
“God help you if this service is exposed to the public internet,” commented the British tabloid IT trade news publication The Register.
But an Intel spokesman told CyberScoop there was no evidence anyone had actually used the security flaw to break into any computers.
“We are not aware of any exploitation of this vulnerability,” William Moss said via email.
Waiting on vendors
Intel learned of the vulnerability last month, from a security researcher called Maksim Malyutin and had moved immediately to get a fix in place, he told CyberScoop.
“We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible,” Moss said.
And there’s the rub. Because the Intel chips were shipped in computers made by dozens of different manufacturers, end-users will have to wait until their vendor provides the firmware update. Assuming that their products are still being supported by the manufacturer.
No figures were immediately available for the total number of chips affected, and security researchers spent Monday debating how widely exploitable the vulnerability might be in real life.
“Most Intel systems don’t ship with AMT. Most Intel systems with AMT don’t have it turned on,” wrote Garrett. He told CyberScoop it would be impossible to know exactly how many machines might be impacted without more detailed information from Intel.
“The number of machines with AMT enabled and accessible to the outside world is probably pretty tiny,” he said via Twitter. Indeed one estimate compiled using the Shodan search engine by security researcher HD Moore, reported by Ars Technica, put the number at fewer than 7000.
“But they are almost certainly corporate networks, where this [vulnerability] could be used to spread from a single machine to others,” added Garrett.
Corporate end-users can consult Intel’s advisory and detection guide to find out if they are affected. If they are, they should check the mitigation guide for advice on temporarily blocking the vulnerability while waiting for a firmware patch from the manufacturer.