Intel Fixes Critical Nine-Year-Old Bug

Written by

Intel is finally fixing a critical remote code execution vulnerability which may have been present inside its chips for almost a decade.

The elevation of privilege bug is found in the chip giant’s Active Management Technology, Small Business Technology and Intel Standard Manageability firmware.

That means consumer machines are off the hook. However, businesses with machines running vPro use those products to remotely manage their computers.

The vulnerability in question – CVE-2017-5689 – is said to “allow an unprivileged attacker to gain control of the manageability features provided by these products.”

Intel explained in its advisory:

“There are two ways this vulnerability may be accessed please note that Intel Small Business Technology is not vulnerable to the first issue.

  • An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).

CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.”

The affected products are versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability.  Versions either before 6 or after 11.6 are not impacted, the chip giant claimed.

The de facto backdoor has been present in the affected products for the best part of 10 years, putting millions of corporate customers at risk, although Intel claimed there’s no evidence of it being exploited in the wild.

Intel explained that affected customers need to contact their OEM for the vital firmware update, and provided mitigations if a fix is not yet available.

The vulnerability itself was apparently discovered and reported in March by Embedi researcher, Maksim Malyutin.

What’s hot on Infosecurity Magazine?