Intel AMT vulnerability: what you need to know

On May 1, 2017, Intel disclosed a serious flaw in its’ remote management feature: their server chipsets released since 2010 are vulnerable to unauthorized access, this way putting entire computer systems at risk of hijacking.

PC users, do not freak out yet – the flaw, labeled CVE-2017-5689, was reported to affect enterprise-level computers and servers only, so personal computers with consumer firmware are safe, as reported by Intel.

So where’s the bug?

The bug resides in Intel’s remote manageability firmware: Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) versions 6 to 11.6;  the earlier and later firmware versions are unaffected. Since Intel’s remote manageability features do not run on Apple’s Mac computers, their users have nothing to worry about.

What is Intel AMT technology?

Active Management Technology (AMT) is a remote manageability feature that combines specific firmware and hardware in order to enable IT admins to access network computers just as if they were on-site. Thanks to the AMT, the admins can install new programs, do server maintenance, reboot, repair, monitor and upgrade PCs without being physically present. It does not even matter if a personal computer is turned on or powered off – with the AMT technology enabled, system admin can access it, use its’ keyboard and mouse either way. Simply speaking, AMT lets you have full control over all computers on the network.

The option to access network computers – even those in the sleep mode – through a web browser has become highly convenient for system administrators. In order to do so, you just need to enter a password set by the admin. And this is where the AMT flaw has been hiding.

The Intel AMT vulnerability disclosed

The security gap in Intel’s AMT was discovered by Embedi researchers who detected it in February and reported to Intel. Just to stay on the safe side, all the technical details hadn’t been revealed until Intel implemented necessary security measures, this way preventing customers from potential hacker attacks.

As it appears, the flaw happens to be in the authorization step: when logging in as an administrator via web browser and prompted to enter the password, just leave it blank and you’re in. Basically, an empty login string makes an open door to any computer in the network with AMT enabled. “Silent Bob” – that’s how the researchers have dubbed the vulnerability allowing to bypass the authorization process.

There’s no big mystery behind the bug – according to the researchers, this was an obvious mistake of a programmer. Scary enough, since 2010, all business computers were shipped with the flaw-containing chipsets. It means that millions of processors released to the market during these 7 years are potentially vulnerable because of the AMT execution hole.

In terms of seriousness, the discovered bug is critical as it allows unprivileged attackers to get full control on AMT-enabled computers. For businesses, this would be devastating – all data and sensitive information could go into the hands of a hacker hands who might misuse it in the worst ways possible.

Have you been affected?

According to the official Intel report, only enterprise-level PCs are at risk of AMT vulnerability while consumer PCs are unaffected. However, in some specific cases, consumer users with business hardware are warned about the potential threat as well.

The thing is, many consumer computers may contain parts, both hardware and firmware, that were originally developed for small business machines. In this case, they may be affected by the “Silent Bob” through Small Business Advantage technology, a simplified version of Active Management Technology (AMT) dedicated specifically for small enterprises.

How to check if your PC is safe from Intel AMT vulnerability

Most chances are, your computer is safe from the dangerous AMT exploit. Nevertheless, if you feel like the case mentioned earlier might apply to you, run a quick check just to be absolutely calm about it. Go ahead and use the tool that Intel has released for IT admins to detect AMT-vulnerable machines.

1. Download the INTEL-SA-00075 Discovery Tool (supports Windows 7, Windows 8.1 and Windows 10).
2. Decompress the .zip file and open it.
3. Navigate to Windows subfolder.
4. Launch the Intel-SA-00075-GUI.exe
5. In a minute or so, the program will show a table with the diagnostics results. It will tell if your system is vulnerable to the exploit or not.

In order to address the problem of the Intel firmware bug, PC vendors, such as HP, Lenovo and  Dell, are taking action by working on security patches and are releasing lists of vulnerable device models. For some devices it may take longer to get a firmware update than for others, so users should check the schedules for firmware patches to know a time estimate. While waiting for security patches to be released, Intel’s recommendation for system admins is to perform the mitigation procedure and follow the steps presented in their guide.

Note for NordVPN users

We want to assure NordVPN users that our servers are immune to the AMT vulnerability. Our databases with Intel processors always had the AMT feature disabled; furthermore – now they have been patched.