Critical Backdoor Security Flaw in Many Intel CPU Business PC’s – Regardless of Operating System

Intel AMT Critical Firmware Vulnerability

This describes a critical flaw in huge numbers of Intel based PC’s targeted toward businesses (but which consumers may also own).

I had limited space in the title to describe this.  This flaw applies primarily to business and enterprise PC’s (as well as other form factor devices), but may include consumers’ PC’s if their chipsets include an Intel processor and certain remote management hardware.  This would apply to huge numbers of businesses with PC’s with Intel chips, regardless of operating system.  It could apply to consumers’ PC’s which were originally from the business product line and were purchased from normally business sku’s or surplus or off lease etc.  Consumer PC’s purchased through normal channels are not vulnerable as far as I know.

If the badge on a PC or other device says it has Intel vpro technology, it may make it subject to the flaw.  But, this is not the only indicator nor is it decisive whether it’s there or not.  Some PC’s may have the flaw and it is not obvious.  This is the Intel management engine amt flaw that’s been covered in security circles lately which affects enterprise machines.  If you have an AMD cpu and chipset, it’s not vulnerable to this.  (AMD may be subject to other things though.)

If your machine is subject to this flaw and it is attacked successfully, it could allow a local or remote hacker to completely take over the pc and monitor, control, corrupt, or damage it, including planting viruses.  The attack is possibly invisible, undetectable, and untraceable under normal operating conditions.  The relevant hardware with the flaw can sometimes run even when the PC is off or has no operating system or any operating system, and may even give the attacker BIOS level access remotely.

If you have this flaw, you need to fix it or mitigate it … period.  Do not allow affected PC’s to be exposed directly to the internet.  Unless you need the remote management features (after they’re patched), block all affected ports at your edge router or internet gateway.  If you’re a home or small business, you probably just want to block ALL ports at your edge router or internet gateway.  Patching the PC will require a firmware update from the manufacturer which generally requires you to physically go to each machine.  Whether you patch the firmware or not, you should turn off these features in BIOS and in the OS if not needed.  For organizations with more than a few PC’s, note that you can be attacked from inside your LAN if there is a bad actor there.

The flaw is documented on Intel’s site as well as a number of PC manufacturers’ sites.:

http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

You can google intel management engine amt flaw or vulnerability.  Use a time frame starting with May 01, 2017 and forward.  As always, though, be careful what you click on.

Here are links to podcasts with Steve Gibson’s coverage on Security Now.

SN Page at TWIT
https://twit.tv/shows/security-now

SN Page at GRC
https://www.grc.com/securitynow.htm

SN 610 – this is the main topic
https://twit.tv/shows/security-now/episodes/610?autostart=false
https://www.grc.com/sn/SN-610-Notes.pdf
http://twit.cachefly.net/audio/sn/sn0610/sn0610.mp3

SN 611 – this is a sub topic
https://twit.tv/shows/security-now/episodes/611?autostart=false
https://www.grc.com/sn/SN-611-Notes.pdf
http://twit.cachefly.net/audio/sn/sn0611/sn0611.mp3

SN 612 – minimal on this topic (in Q&A)
https://twit.tv/shows/security-now/episodes/612?autostart=false
https://www.grc.com/sn/SN-612-Notes.pdf
GRC mp3 is not posted at the time of this writing.  Download from TWIT.

Hope this info was helpful.

Ron