SITUATION REPORT
Actor Type: II
Serial: SR-18-017-001
Countries: IN, CN
Report Date: 20180113
Security Vulnerability Identified in Intel’s AMT
A vulnerability has been identified within Intel’s Active Management Technology, which could allow attackers to bypass logins and place backdoors; allowing them remote access to the target laptop. This remote access can be exploited within one minute.
Intel® Active Management Technology (Intel® AMT) is a feature of Intel® Core™ processors with Intel® vPro™ technology and workstation platforms based on select Intel® Xeon® processors. Intel® AMT uses integrated platform capabilities and popular third-party management and security applications to allow IT or managed service providers to better discover, repair, and help protect their networked computing assets. Intel® AMT also saves time with remote maintenance and wireless manageability for your mobile workforce, and secure drive wiping to simplify PC lifecycle transitions [1].
Impact:
The vulnerability allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS, and BitLocker passwords. This allows attackers to enable remote administration for post-exploitation and install backdoors and root kits.
While setting a basic input output system (BIOS) password normally prevents an unauthorized user from booting the device or making low-level changes, it does not prevent access to the Active Management Technology (AMT) BIOS extension. This permits an attacker to reconfigure an AMT, which will enable remote exploitation if the default password has not been changed[1]. The attacker can then change the default password, enable remote access, and set the AMT's user opt-in to 'none.' This will permit remote access to the device without the knowledge or input from the user. This only will work if the attacker is within the same target network.
Researchers have found AMT vulnerabilities in the past, but this issue is of particular concern due to the following reasons:
- It is easy to exploit without writing a single line of code
- It affects almost all laptops
- It allows attackers to gain remote access
Exploitation Process[2]:
After an attacker has gained physical access to a victim laptop, they reboot the target’s machine. Then they enter the boot menu. Normally an attack is stopped at this point, as they would not know the proper BIOS password. In this scenario, the attacker has a workaround - the AMT. By selecting Intel’s Management Engine BIOS Extension (MEBx), an attacker can log in using the default password “admin,” as this has not likely been changed by the user. By changing the default password, remote access is enabled the AMT’s user opt-in is set to “None.” An attacker has then effectively compromised the machine. From this point, the attacker can gain access into the system remotely as long as they are able to access the same victim network. Although the successful exploitation of this security issue requires physical proximity, it could be executed by any tier level attacker.
Mitigation:
Users and IT administrators in an organization are recommended to change the default AMT password of their device to a stronger one, or disable the AMT if the option is available.
[1] https://www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html
Comments