Exploitable Details of Intel's 'Apocalyptic' AMT Firmware Vulnerability Disclosed

Details of the Intel AMT firmware vulnerability announced on May 1, 2017 are now public knowledge; and the suggestion that ‘this is somewhere between nightmarish and apocalyptic’ has been proven correct.

One day after Intel’s alert, Embedi (the firm that discovered the vulnerability back in February this year) published a brief note. One particular sentence stood out to researchers at Tenable: “With 100 percent certainty it is not an RCE but rather a logical vulnerability.”

This persuaded Tenable to look at ‘authentication’ as the possible basis for a logical flaw that allows remote access. Within one day it discovered the flaw by trial and error — and experience.

“Drawing on past experience,” explains Carlos Perez, Tenable’s director of reverse engineering in a blog post last Friday, “when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded!”

Further tests showed that a NULL/empty response hash (response=”” in the HTTP Authorization header) still worked. “We had discovered a complete bypass of the authentication scheme.”

Tenable asked Intel if this was the flaw in question. Intel said it was, and asked Tenable to delay publication until the end of the day on Thursday Pacific time (effectively Friday). This gave Embedi (the original finder of the flaw) time to simultaneously publish its own findings on Friday.

If Tenable could find the flaw within a single day, blackhats could do the same. The time for obfuscation had passed. While Tenable had found the flaw, Embedi’s whitepaper (PDF), also published Friday, explains it.

Embedi had been looking into AMT and its admin account that is present by default and always uses digest authentication. By reverse engineering the firmware it discovered, “The value of the computed response, which is the first argument, is being tested against the one that is provided by user, which is the second argument, while the third argument is the length of the response. It seems quite obvious that the third argument of strncmp() should be the length of computed_response, but the address of the stack variable response_length, from where the length is to be loaded, actually points to the length of the user_response!”

In short, it explains, “Given an empty string the strncmp() evaluates to zero thus accepting an invalid response as a valid one.”

Armed with this knowledge, any attacker could get admin control over AMT. It is the power of AMT that makes the vulnerability so severe. “First of all,” explains Embedi, “you should remember that Intel AMT provides the ability to remotely control the computer system even if it’s powered off (but connected to the electricity mains and network).” Furthermore, it is completely independent of the installed operating system. No traditional security defense could even see, let own prevent, anything done through AMT.

Embedi describes some of the possible attack scenarios. These include, remote load and install of any file onto the target system; read any file; remotely change the boot device to some other virtual image; remotely power on/power off/reboot/reset and do other actions; and even edit the BIOS setup.

The situation now is that any business PC that uses AMT, ISM or SBT that has not received the Intel firmware patch, is vulnerable to a silent, unpreventable, major attack — and details of how to perform the attack are public knowledge. Several PC vendors have started rolling out the new Intel firmware (DellHPLenovoFujitsu) — but some older and boutique PCs may never receive the patch.

On Friday, May 5, 2017, Intel issued an update to its original alert. It reiterates its original recommendations. Intel users should first determine whether they are vulnerable (that is, if the devices incorporate AMT, ISM or SBT), and then take the mitigation steps already published. But note, it adds, “capabilities and features provided by AMT, ISM and SBT will be made unavailable by these mitigations.” 

Intel has also released a discovery tool, which will analyze systems to see if the vulnerability is present.

What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option. 

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags: