Modern processors are extremely complicated devices and aren’t single purpose number crunching machines as they were in the past. A modern CPU contains subsystems responsible for power management, remote administration, hardware security, and much more. Intel brands this collection of technologies as vPro. The subsystem with perhaps the most attack surface is branded as Intel Active Management Technology (AMT), a system designed to allow for remote administration of corporate computer assets. It provides out of band administration, meaning an authorized administrator can perform any number of tasks on the machine without requiring specific operating system features like a functioning Windows install or separate software running on the system. This week researchers discovered a critical flaw in the AMT system allowing for an unauthorized user to completely takeover affected machines.
Intel AMT runs on a dedicated microprocessor embedded in the normal CPU and as such isn’t something a normal user ever has to deal with. It is able to piggyback on the normal networking stack exposed to the operating system to allow for out of band management of the machine without any user interaction. Due to it being embedded in the processor it has almost complete and unrestricted access to the system. This makes finding flaws in it extremely valuable to researchers and hackers. Luckily the flaw found this week was discovered by internal Intel researchers whose goal it is to discover critical vulnerabilities before attackers do. CVE-2020-8758 was disclosed in a security advisory and ranks a 9.8/10 on the CVSS scale. The flaw is the result of improper buffer restrictions in the network component of the AMT subsystem and could allow for privilege escalation and complete takeover of a system running the vulnerable version. The critical flaw requires that AMT has been previously provisioned by a system administrator and that an attacker can reach the system over the network.
While the main vulnerability disclosed requires AMT to be provisioned, a second attack scenario was also disclosed which is able to attack an un-provisioned AMT instance. In this attack scenario an attacker would require local access to the machine to exploit the flaw. While not nearly as critical of a remote over-the-network exploit, it can pose a threat for systems exposed to public access such as shared computing resources or cases where a machine may be left unattended for an amount of time.
While no known attacks utilizing the flaw have been seen yet ,Intel recommends that systems running the affected firmware versions are patched immediately.