A decade-old vulnerability in Intel chips has been discovered, leaving thousands of Windows computers susceptible to hijacking and remote takeovers.
Intel disclosed the critical bug last week and the weakness appears to be in the Active Management Technology (AMT) feature used by IT administrators to remotely access computers for support, maintenance and software updates. Additionally, AMT allows for remote control of a computer's mouse and keyboard even when it's off.
AMT can be accessed via a web browser interface, protected by an admin password, and is available even when the remote computer is asleep.
However, security researchers from Embedi discovered that by simply leaving the password field blank on the web interface, anyone can gain access to the AMT console. This flaw appears to be due to how the default admin account processes user passwords.
"We’re able to manage the AMT via the regular web browser as if we’ve known the admin password," the Embedi researchers said. "No doubt it’s just a programmer’s mistake, but here it is: keep silence when challenged and you’re in."
Intel chips from as far back as 2008 that are running management firmware versions from 6 and 11.6 are vulnerable to this flaw. The company also stated in a security advisory that although the vulnerability doesn't exist in consumer PCs with consumer-level firmware, if a system is capable of running AMT and it's running impacted firmware 6.0 and later, then mitigation steps are required.
Embedi researchers warn that any internet-facing systems with open ports 16992 and 16993 are susceptible to the hack.
The scary part is that after the disclosure of the flaw, scans on these affected ports have spiked, meaning hackers may now be actively seeking vulnerable systems to exploit.
Intel hasn't revealed the exact number of affected systems, but a search on Shodan (a search engine for exposed ports and databases) shows that more than 8,500 systems are affected worldwide with possibly thousands more existing on private networks.
Intel has these recommendations to protect systems from the AMT flaw:
- Determine if you have an Intel AMT capable system.
- Analyze your system for the vulnerability with Intel's detection tool.
- Check for updated firmware for your system. Intel states that firmware versions that resolve the issue have a four-digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 126.96.36.19908.
- Since many of the affected systems are older and are no longer receiving firmware updates, it is advised that AMT is disabled on these computers.
Intel stated that they are working with its hardware partners to push fixes to eligible systems beginning the week of May 8.
Dell, Fujitsu, HP, and Lenovo have all issued security advisories and are expected to roll out their patches soon.