Intel Patches Serious Logic Bug That Lurked Since 2010
It’s 2017, and considering Intel’s most recent advisory, coordinated vulnerability patching, along with synchronized and accurate information disclosure across enterprise environments is still a hot mess.
In what can only be described as one of the most confusing and controversial vulnerabilities in recent memory, Intel has addressed a vulnerability that affects Active Management Technology (AMT), Intel Small Business Technology (SBT), and Intel Standard Manageability (ISM) protocols.
The confusion arises in the severity, the type of vulnerability, and what devices are in scope for this vulnerability. The vulnerability, CVE-2017-5689, was initially described as a remote code execution vulnerability affecting devices since 2008, allowing attackers to compromise machines without authentication.
However, Intel and other researchers have declared that the vulnerability was, in fact, a logic flaw and an escalation of privileges. Both parties even disagreed over when the flaw was introduced, some saying it has been lurking since 2008, while others say it was introduced only in AMT version 6.0, which was deployed in late 2010 and early 2011.
After disseminating all the results and parsing the multitudes of advisories and technical summaries, even experts are still scratching their heads as to what, exactly, is exploitable, and how an attacker could cause it to trigger the exploitable condition.
In summary, the vulnerability appears related to AMT and ISM network management traffic, which is silently redirected to Intel hardware and Intel ME/Local Management Service (LMS) via intercepting traffic on ports 16992, 16993, 16994, 16995, 623, and 664 (by default).
It is important to understand that the underlying operating systems (OS) of these machines with AMT enabled will never see any network traffic to these ports. This also means that the OSs defenses against such attacks, such as host-based firewalls, IPS, memory protections (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog