AMT leaks recently reported by Intel are more serious than previous variants
Security firm Positive Technologies, which is heavily involved in research into Intel’s Management Engine, said Intel recently reported serious AMT vulnerabilities that are easier to exploit than previous variants.
In a blog post, Positive Technologies refers to two recent security advisories from Intel: SA-00112 and SA-00118. It highlights a vulnerability discussed in the former post. Intel describes that vulnerability, with attribute CVE-2018-3628, as “a buffer overflow in the http handler in AMT within the Management Engine, which allows an attacker to execute arbitrary code.” The attacker must be present within the same subnet as the target.
According to the security company, there is a vulnerability that allows remote code execution, with the only limitation being the requirement of the subnet. “This is the scenario that has been a nightmare for many Intel users and has now become a reality,” the company said. There would be no need for an AMT administrator account to exploit the vulnerability. The leak is said to resemble a variant described by security firm Embedi halfway through last year. Intel says it discovered the current leaks itself.
Active Management Technology, or AMT, is present on Intel vPro CPUs and chipsets, among others. The feature is used to manage a system remotely. AMT is part of the Management Engine, which runs on a separate processor in the chipset. The separate processor works separately from the CPU itself and is therefore accessible when it is turned off. The processor provides access to various system functions. The Management Engine, in turn, is part of the Platform Controller Hub.
Intel writes in its warning that the vulnerability is present in AMT in all versions up to and including number 11 of the Management Engine. These are present in all generations of its Core processors, among other things. For Core processors from the Skylake generation, the aforementioned vulnerability has been fixed in version 11.8.50.
In addition, the security company addresses a vulnerability with attribute CVE-2018-3627, which is described in the other advisory. That also allows arbitrary code execution and would be easier to exploit than previous ME leaks patched by Intel. This requires an attacker to have local access. Positive Technologies says it will continue to investigate the leaks that have now been closed. The company found out earlier that the ME can be turned off. Several manufacturers, such as Purism and System76, make use of this option. Critics call the ME a backdoor because it provides far-reaching access to the system.