vSOC SPOT Report – Intel AMT Vulnerability

Overview

On Friday, January 12th, 2018 researchers at F-Secure disclosed a vulnerability involving Intel’s Active Management Technology (AMT) firmware. The vulnerability can allow an attacker with physical access for as little as 30 seconds to gain full remote access to the machine.

This bypasses operating system logins, BIOS, TPM, BitLocker and local firewall credentials. Mitigation primarily involves disabling AMT or changing the AMT default credentials, which are different from that of the BIOS and the OS.

Technical Overview

Intel’s Active Management Technology (AMT) is a feature built into Intel processors that use vPro, as well as in machines using processors from their Xeon line. This limits the effect primarily to enterprise-grade workstations and servers.

The vulnerability was discovered in July of 2017 by F-Secure’s Harry Sintonen, however, it was not disclosed until the morning of January 12th, 2018. A timeline of events between discovery and disclosure can be found on his website.

Attackers can access the machine by pressing ctrl-p during the machine’s boot-up sequence to access the boot menu. From there all that’s required is to navigate to and select  “Intel(R) Management Engine BIOS Extension (MEBx)”, select “MEBx” login and type in the default password of “admin”.  Additionally, if USB provisioning has not been disabled it’s also possible to carry out the attack automatically with a properly setup and configured flash drive.

Once MEBx has been entered via the boot menu, the intruder can then change the default password and enable remote access. While ethernet access will be available “right out of the box,” wifi access is not enabled by default. However, this can be easily set with a few changes to the wireless management once ethernet access has been established. Configuring the machine to reach out on it’s own is also possible via Client Initiated Remote Access (CIRA). This means that the system can still be accessed from any network on which the client can send outbound data through the firewall.

Potential Impact

All Intel processors that utilize vPro software or possess an Intel Xeon processor are potentially vulnerable. The exception to this seems to be Asus laptops or those that have been specifically configured to request a BIOS password before allowing access to the AMT MEBx extension.

A list of all vPro systems and manufacturers is available from Intel’s website here: https://msp.intel.com/find-a-vpro-system. Unfortunately, there does not seem to be an equivalent resource for those machines containing Xeon processors.

What You Should Do

Mitigation primarily involves one of two aspects, the first of which being to disable AMT altogether, however, this is not possible in some business contexts depending upon how reliant the organization is on AMT facilitated services.

The second method of mitigation is to go in and manually set a password for AMT. This provides some measure of protection, however, it can still be bypassed by performing a CMOS reset. This is generally done by removing and replacing the CMOS battery, or shorting a jumper on the motherboard, which essentially turns the CMOS memory “off and back on again”. Simply turning off the host does not affect the CMOS.

This is still recommended if AMT cannot be disabled as it significantly increases the amount of time and difficulty for an attacker to successfully carry out the attack, reducing the likelihood of a successful compromise happening unnoticed in a public place, such as through the proverbial “evil maid” attack.

It’s also worth noting that some vulnerability and system management tools also often collect data and statistics such as hardware information. This could be useful for identifying how many and which machines may be vulnerable to the attack.

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

• List of vPro Systems
  • https://msp.intel.com/find-a-vpro-system
• Security Best Practices of Intel® Active Management Technology Q&A December 2017
  • https://www.guidepointsecurity.com/wp-content/uploads/2018/01/Intel_AMT_Security_Best_Practices_QA.pdf
• Intel(R) Active Management Technology MEBx Bypass
  • https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt
• A Security Issue in Intel’s Active Management Technology (AMT)
  • https://business.f-secure.com/intel-amt-security-issue
• F-Secure Intel AMT FAQ
  • https://images.news.f-secure.com/Web/FSecure/%7Bb7f942eb-8ab9-41bb-afa0-792ed76306b7%7D_F-Secure_Intel-AMT_FAQ.pdf
• Researcher finds another security flaw in Intel management firmware
  • https://arstechnica.com/information-technology/2018/01/researcher-finds-another-security-flaw-in-intel-management-firmware/
• Intel® Active Management Technology – Query, Restore, Upgrade, and Help Protect Devices Remotely
  • https://www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html