Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.
Last June, researchers at F-Secure found a flaw in Intel’s Active Management Technology (AMT), a feature used to perform remote updates to advanced desktops using Intel vPro or workstation platforms using Core desktop chips and certain Xeon CPUs. Xeon is primarily a server processor but there are some low-end chips used in high-performance workstations, such as those used in a CAD environment.
AMT is designed to allow administrators to access and perform updates to PCs even if the PCs are turned off, so that they don’t have to go from computer to computer performing updates. Instead, an update is pushed out from a central location.
What F-Secure found is that an attacker can gain full access to an entire machine, including encryption keys. The vulnerability allows a local intruder — key word local — to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place.
“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, the F-Secure security consultant who found the bug in a blog post.
Normally computers with AMT have a BIOS password to prevent making low-level changes, but due to insecure defaults in the BIOS and AMT’s BIOS extension (MEBx) configuration, an attacker with physical access can log in using the default password “admin.” Given the bad security habits of many people, there’s a good chance this default password was not changed.
By changing the default password, enabling remote access and setting AMT’s user opt-in to “None,” the attacker has now backdoored the machine and can gain access to the system remotely, assuming the attacker is on the same network as the target machine.
Intel says this is a problem in how the machine is configured by the OEM. Its recommendation is that MEBx access be gated by the BIOS password and has said so since 2015. What F-Secure found is that some system manufacturers were not requiring a BIOS password to access MEBx. So it updated its guidance for proper AMT/MEBx security in December.
Again, it must be emphasized that this is a) an exploit that requires local access to the computer, b) requires the attacker to be on the same network for further exploits, and c) does not impact Xeon servers. With the hysteria over Meltdown, this vulnerability is getting a bit of shrill coverage that is not warranted.
Intel, though, has to tighten up AMT, because this is not the first problem to emerge. Last year, security researchers also found vulnerabilities in Intel AMT, which could have allowed attackers to “access everything,” including memory and encryption keys. Intel has since released patches.