Remote security exploit in all 2008+ Intel platforms

Profile image of Mattias Geniar

Mattias Geniar, May 02, 2017

Follow me on Twitter as @mattiasgeniar

Intel just released their security advisory for an “escalation of privilege” vulnerability. It’s a bad one.

If a server/desktop is installed with Intel’s AMT (Active Management Technology), it’s remotely exploitable by unauthenticated users. Aka: anyone.

If a server/desktop isn’t installed with AMT, it’s still locally exploitable by anyone with a local user account. Think shared hosting/terminal server environments.

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.

If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

And:

Depending on whether you are a glass half empty or half full type, there is a bit of good news. This flaw is remotely exploitable only if you have AMT turned on, that is the ‘good’ news. The bad news is that if you don’t have it turned on or provisioned the vulnerability is still exploitable locally.

If you aren’t the half full type, you might sum this up by saying there is no way to protect a manageable Intel based computer until this hole has been patched, it is that bad. Let me repeat, you can not protect a manageable PC or server with this flaw until there is a patch, period.

Source: Remote security exploit in all 2008+ Intel platforms – SemiAccurate

Intel made a whitepaper available to help mitigate this vulnerability: INTEL-SA-00075 Mitigation Guide.