Welcome to the SecAware blog

I spy with my beady eye ...

18 May 2017

NBlog May 18 - racing to rectify an Intel backdoor

A passing security advisory caught my beady eye this morning. It warns about a privilege escalation flaw in Intel's Active Management Technology, Small Business Technology and Intel Standard Manageability hardware subsystem incorporated into some of their CPU chips, ostensibly to facilitate low-level system management.

For convenience, I'll call it AMT.

18 days ago, Intel disclosed a design flaw in AMT that creates a severe vulnerability allowing hackers to gain privileged access to systems using the Intel “Q series” chipset, either locally or through the network depending on the particular technology.

In plain English, hackers and viruses may be able to infect and take control of your Intel-based computer through the Internet. It's similar to the WannaCry ransomware situation, only worse in that they don't need to trick you into opening an infectious email attachment or link: they can just attack your system directly.

The wisdom of allowing low-level privileged system management in this way, through hardware that evidently bypasses normal BIOS and operating system security (i.e. a kind of backdoor), is in question. In corporate environments, I appreciate the need for IT to be able to manage distributed devices, and I guess they sometimes need to handle unresponsive systems where the CPU has locked up for some reason. Fine if the remote access facility employs adequate authentication, and cannot be compromised. Coarse if not.

Anyway, moving on, evidently "Q series" chipsets installed in 2010 or later may be vulnerable. Some PCs from HP, Dell, Lenovo, Fujitsu, Acer, Asus, Panasonic and Intel are affected, plus others such as custom or home-brew systems.

Intel have kindly released a software tool to check the vulnerability of a given system ... which means downloading and installing a program from a company that has admitted to a severe security flaw in its products - a risk in itself that you might like to evaluate before pressing ahead.

If you are willing to take chances, the tool is simple to run, generating a report like this on a vulnerable system:

Intel also released a technical guide on how to mitigate the vulnerability by disabling AMT. If the following acronym-laden paragraph doesn't put you off, it's worth reading the guide:
"Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability. For provisioned systems, unprovisioning must be performed prior to disabling or removing the LMS. Pending availability of the updated Intel manageability SKU firmware, Intel highly recommends mitigation of the local privilege escalation by removing or disabling the LMS."
If that is pure Geek, you'd best contact your IT support, or the company that supplied your PC, or Intel ... but please not me. I'm struggling to understand it myself. What is "CCM" that is evidently not disabled, and should I worry about the running microLMS service?

Gary (Gary@isect.com)

No comments:

Post a Comment