They discover a new vulnerability, in this case it has its origin in the Active Management Technology (Intel AMT) of Intel processors, which affects those processors with vPro technology and some Xeon.
We have been a dozen days into 2018 and we can officially say that it is the worst year in Intel's history. Intel's company's processors are vulnerable to Specter and Metldown, a security hole that is centered in the hardware, but not only that, it has now been revealed that another vulnerability has been found. Specifically, a security hole has been found in Active Management Technology or Intel AMT, which allows bypassing the login credentials on processors that have support for this technology.
Intel AMT is presented in all those Intel Core processors that have the company's vPro technology and also in certain Intel Xeon processors. Access to this vulnerability is only physical access, but it takes a minute of time to take control of any laptop remotely and you can also connect to the company's VPN and access all resources. Intel has not yet commented, but there is a press release from F-Secure regarding this vulnerability.
PRESS RELEASE
F-Secure reports a security issue that affects most corporate laptops. This vulnerability allows an attacker with physical access to the back door of the device to access the device in less than 30 seconds. The problem allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and can then gain remote access for further exploitation. This problem affects millions of laptops around the world.
The security problem “is almost deceptively simple to exploit, but has incredible destructive potential,” said Harry Sintonen, who researched the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker full control over a person's work laptop, despite even the most extensive security measures."
Intel AMT is a solution for remote access monitoring and maintenance of corporate-level personal computers, created to enable IT departments or managed service providers to better control their device fleets. The technology, commonly found in corporate laptops, can be exploited in seconds without a single line of code.
The essence of the security issue is that setting a BIOS password, which typically prevents an unauthorized user from starting the device or making low-level changes, does not prevent unauthorized access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.
To exploit this, all an attacker has to do is reboot or power on the target machine and press CTRL-P during boot. The attacker can then log into the Intel Management Engine BIOS Extension (MEBx) using the default password, "admin", as this default has most likely not been changed on most corporate laptops. The attacker can change the default password, enable remote access, and set the AMT user option to "None." The attacker can now gain remote access to the system from wireless and wired networks, as long as they can insert themselves into the same network segment with the victim. Access to the device can also be possible from outside the local network through a CIRA server controlled by an attacker.
Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable on the so-called "baddie." “You leave your laptop in your hotel room while you have a drink. The attacker breaks into your room and sets up your laptop in less than a minute, and can now access your computer with the Hotel's Internet connection. And because the computer connects to your company's VPN, the attacker can access company resources. " Sintonen points out that even one minute of distraction to the target at an airport or cafeteria is enough to cause damage.
The issue affects all computers that support Intel Management Engine / Intel AMT technology. It is not related to the recently disclosed Specter and Meltdown vulnerabilities.
