Wired

Hack Brief: Intel Fixes a Critical Bug That Lingered for 7 Dang Years

https://www.wired.com/2017/05/hack-brief-intel-fixes-critical-bug-lingered-7-dang-years/

Since Intel makes the processors that run, well, most computers, any Intel chip vulnerability—especially one that’s been around for nearly a decade—rings alarms. In the wake of Intel disclosing a longstanding flaw in the remote system management features of some popular Intel chipsets, manufacturers are scrambling to release patches. It’s not an unmitigated disaster, and it affects enterprises more than consumers. But make no mistake, it’s going to take a major effort to fix. The Hack The vulnerability lies in Intel’s remote management programs that run on a dedicated microprocessor called the Management Engine. Intel says that three of its ME services—Active Management Technology, Small Business Technology, and Intel Standard Manageability—were all affected. These features are meant to let network administrators remotely manage a large number of devices, like servers and PCs. If attackers can access them improperly they potentially can manipulate the vulnerable computer as well as others on the network. And since the Management Engine is a standalone microprocessor, an attacker could exploit it without the operating system detecting anything. Intel has released a firmware patch to address the bug, and says that it hasn’t detected any exploitation. A challenge to actually resolving the problem, though, is its ubiquity. Every impacted manufacturer will have to release a tailored version of the patch, assuming the products aren’t too old to receive support.... “The biggest problem is probably going to be in corporate environments, where getting access to a single machine inside the network now lets you get remote desktop access to a large number of client systems,” says Matthew Garrett, a security researcher who has been monitoring the vulnerability. “Some companies are likely to have to choose between buying new hardware, disabling a vital part of their IT management infrastructure, or leaving it vulnerable.” Who’s Affected? Some good news! A lot of Intel chipsets include the Management Engine, but only some incorporate the vulnerable remote access programs like Active Management Technology. Macs, for instance, aren’t impacted by this. And since these services aren’t turned on by default, most consumer devices shouldn’t have trouble. The search engine Shodan, which indexes internet-connected devices, shows that fewer than 6,500 potentially affected devices are visible on the open internet....Additionally, the researchers who reported the bug to Intel say that it may be exploitable on even more computers than are currently thought to be vulnerable. Since the Management Engine and related services have special system privileges and direct hardware access to begin with (appealing properties for an attacker to exploit), experts aren’t shocked to hear about this vulnerability. “A lot of people have felt a security issue in AMT was likely—and plenty of people in the security and free software communities have been talking about the dangers of the Management Engine in general for years,” Garrett says. Now that those worries have been confirmed, it’s time for system administrators and IT departments to get patching.