There should be prizes for this. Let’s call them The Oopsies. The most bafflingly easy servers to hijack, turn out to be those running Intel’s Active Management Technology (AMT).
People warned me about this, and I pooh-pooh’d it. Please hand me a scraper so that I can wipe the egg off my face. The servers are so wickedly simple to jack that a third-grader can log into them and merrily do essentially root damage.
+ Also on Network World: The insecurities list: 10 ways to improve cybersecurity +
That the largest server CPU provider on earth doesn’t fall all over itself in sincere apologies (United Airlines gone wrong?) doesn’t surprise me. No one falls on their sword anymore. No one takes product managers out behind the cafeteria and strips the access key fob from the management toy room. It’s all just jolly. Oops. Sorry, folks
Intel, the purveyor of most of the servers that AMD and Oracle don’t sell on the planet, which was already most of them, screwed up—to put it politely. Last week, Intel issued a security advisory saying its AMT, Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6 have a vulnerability that allows “an unprivileged attacker to gain control of the manageability features provided by these products.”
That is an understatement.
The correct verbiage should be: “Our black-box remote management feature turned out to be a security hole the size of the Milky Way Galaxy, but we augmented it for 11 years for your convenience.”
Intel recommends vulnerable customers install a firmware patch. And it said in a published statement, “We have implemented and validated a firmware update to address the problem, and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software. We expect computer makers to make updates available beginning the week of May 8 and continuing thereafter.”
This patch initially comes only in Windows flavor, and it must performed on each and every Intel server in your fleet.
Most firewalls already have been protecting the port that you can merrily climb into and hoist your favorite flag. Maybe.
As Dan Goodin, now at ArsTechica, denotes, the issue is scarier than it looks. Over 2,000 servers in the U.S. alone have been found, apparently. Those are just the ones that face the public. How many of them are inside your protected domains? Why ask? Because the same trick to use AMT works inside your firewall, as up against it where things aren’t usually protected, inside of a magical, unreal world called your network.
Let’s do a quick review:
1. You’re going inside every one of your servers everywhere, no exceptions, and ensuring that unused ports are turned off. Unused ports mean anything you’re not actively going to use, right? Yeah, we know that between Microsoft, VMware and maybe a lot of dodgy management software, you’ve got maybe 100-plus ports open. How about this one? Do you even know what the AMT port number is? 16992-16995, as well as 5900 and 623/664 are the correct answers.
2. Your firewall does this, too, right? Same port, same block. Right?
3. You’re doing this on your Wi-Fi and management network backplane, too, right? Do you know exactly the ports you need? Do you have the audit to prove it?
4. You’re using VLANs to segment your network(s), right? Do all of your VLANs follow the same regimen? They don’t? Why not?
5. No, this doesn’t have to do with Windows, but the first fixes will arrive on Windows. Windows is the only operating system in the world, right? The mind reels. Intel should be providing a foolproof method to just kill dead AMT, period, end of story.
6. If necessary, you may have to take matters into your own hands and wholesale kill the entire Intel Management Engine/ME to prevent its black-box hardware from doing evil. Linux diehards have been working on this for a while, but it’s not easy.
Then it must be done on ALL your Intel servers. Enjoy.
7. Remember that every single one of your Intel processor-based server devices, discrete servers, a healthy dose of point of sale systems, ad infinitum are susceptible to the backdoor going back to, yes, 2006.
8. AMD is in a similar position of providing a management plane interface, but so far, I can find no criticisms of it other than it’s not Intel’s, but no salient CVEs. Yet.
9. Router and IDS/IPS jockeys know how to watch for errant traffic to the aforementioned ports. Have you checked recently? Have you looked at your syslogs to see if the AMT ports have been sniffed?
10. If you’d like to send a nastygram to Intel, feel free. Tell them that shell access to your machines can be accomplished in fun and novel ways. Tell them of your deep glaring dissatisfaction with a backdoor into your primary server assets. Then remind yourself of the problem with monopolies.