Earlier this calendar week Intel announced a critical escalation of privilege bug that affects its remote administration features transportation amongst Intel Server chipsets for past times vii years, which, if exploited, would allow a remote assailant to accept command of vulnerable PCs, laptops, or servers.
The vulnerability, labeled CVE-2017-5689, affects Intel remote administration technologies, including Active Management Technology (AMT), Intel Standard Manageability (ISM), in addition to Intel Small Business Technology (SBT) software, versions vi through 11.6.
The flaw was originally discovered past times Maksim Malyutin, a fellow member of Embedi interrogation team, inwards mid-February, who so responsibly disclosed it to the Intel safety team.
My previous article, published before this week, was based on the partial information shared past times Maksim to The Hacker News, equally the reported Intel AMT vulnerability was highly critical in addition to tin sack live on exploited remotely, Embedi held technical details until most sysadmins update their systems amongst a patched firmware.
Today, Embedi interrogation squad has disclosed consummate technical details most the critical vulnerability, revealing that a remote assailant tin sack hijack computers powered past times Intel Chipset only past times sending an empty authentication string.
To empathize how, I stimulate got compiled this slice explaining:
- What is Intel AMT technology?
- Where the Intel AMT Vulnerability resides?
- How tin sack an assailant exploit Intel AMT Vulnerability?
What is Intel AMT technology?
Intel-based chipsets come upward amongst an embedded technology, called Intel Active Management Technology (AMT), to heighten the might of information technology administrators, allowing them to remotely larn by in addition to repair PCs, workstations, in addition to servers of their organization.
Using a web-based command panel, accessible from port 16992 in addition to 16993, which comes pre-installed on the chipset, an administrator tin sack remotely larn by a system.
The Intel AMT Web Interface industrial plant fifty-fifty when the scheme is turned off, equally long equally the platform is connected to a business might in addition to a network cable, equally it operates independently of the operating system.
Where the Intel AMT Vulnerability resides?
To protect Intel AMT Web Interface from unauthorized users, the service makes usage of HTTP Digest in addition to Kerberos authentication.
The escalation of privilege vulnerability resides inwards the means Intel AMT Web Interface handles user authentication over HTTP Digest protocol, which is based on a uncomplicated challenge-response paradigm.
Before going into the technical details most the exploitation of this vulnerability, first, you lot demand to know how the Digest authentication works.
The Digest authentication completes inwards the next steps:
- Client requests server to initiate login, in addition to inwards response, the server returns a randomly generated 'nonce' value, the HTTP method, in addition to the requested URI.
- Next, the user is prompted to move inwards his username in addition to password.
- Once entered, the client automobile sends an encrypted string (referred equally user_response)—generated past times applying a hash role to the entered username in addition to password, server-supplied nonce value, HTTP method, in addition to the requested URI—to the server.
- The server also calculates a similar encrypted string (referred as computed_response) using username in addition to password stored inwards the database in addition to all the other 3 values.
- The server compares both the strings using the strncmp() function in addition to if they match, it allows the user to log into the Intel AMT Web Interface.
Syntax example:Strncmp() is a binary prophylactic string comparing role that returns a negative, zero, or a positive integer depending upon whether string_1 is greater or less than string_2, in addition to if they are equal, it returns zero.
strncmp (string_1, string_2 , length)
—where, length parameter defines how many characters needs to live on compared.
As, it’s obvious, for successful authentication, user_response variable must live on equal to computed_response variable; thus the strncmp() role must render a null value for whatever length.
But, according to the researcher, the programmers who coded this authentication procedure for Intel platform mistakenly used the length of the user_response variable inwards strncmp() function, instead of the computed_response variable for response_length parameter.
How tin sack an assailant exploit Intel AMT Vulnerability? (Demo)
To exploit this logical flaw inwards Intel AMT Web Interface, all an unauthorized assailant needs to practice is post naught (null) into user_response to the server.
Since the strncmp() role is mistakenly using grapheme length of the user_response variable to authorize the user, which inwards this instance is null, the string comparing role would live on tricked into matching naught in addition to believe that attacker's answer (user_response) is equals to the computed_response.
As both variables matched, the assailant volition live on authenticated to log into the Intel AMT Web Interface in addition to practice whatever an authorized administrator tin sack do, gaining high-level privileges on the system.
Computers Can live on Hacked Even If They're Turned OFF
An assailant tin sack also usage Keyboard Video Mouse (KVM) feature, available within Intel AMT Web Panel, which runs at a hardware degree in addition to allows sysadmins to remotely accept command of the whole system, in addition to perform tasks like:
"[Attacker] tin sack remotely load, execute whatever plan to the target system, read/write whatever file (using the mutual file explorer)," the interrogation squad wrote inwards its newspaper [PDF]. "Using IDE-R (IDE Redirection), [the attacker] tin sack remotely modify the kicking device to another virtual picture for example."
"Using SOL (Serial over LAN), [the attacker] tin sack remotely might on/power off/reboot/reset in addition to practice other actions amongst this feature. Also, it tin sack live on used to access BIOS setup for editing," the squad added.In short, a potential assailant tin sack practice everything that a sysadmin tin sack do: he tin sack log into a vulnerable machine's hardware, in addition to silently perform malicious activities, similar tampering amongst the scheme in addition to installing virtually undetectable malware.
Install Firmware Update to Patch the Vulnerability NOW!
The põrnikas affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, in addition to 11.6 for Intel's AMT, ISM, in addition to SBT platforms. However, versions before vi or later 11.6 are non impacted.
Intel has rated the vulnerability equally highly critical in addition to released novel firmware versions, instructions to detect if whatever workstation runs AMT, ISM, or SBT, a detection guide to cheque if your scheme is vulnerable, in addition to a mitigation guide for those organizations that tin sack non at nowadays install updates.
So, the Intel customers are strongly recommended to install a firmware spell without wasting a unmarried second.
Also, there's a uncomplicated mitigation tool available on Github, created past times Malware researcher Bart Blaze, which is based on the Mitigation Guide provided past times Intel.
All an affected user has to practice is, only download in addition to run DisableAMT.exe, it volition disable Intel AMT on Windows operating scheme (x86 in addition to x64).
Share This :
comment 0 Comments
more_vert