The Intel remote vulnerability is much, much worse than you thought

Posted on May 6, 2017 by Rick Falkvinge

The Intel remote vulnerability which was recently disclosed has been discussed in more detail, and it’s much, much worse than you thought. It’s not just that the Intel servers are vulnerable to remote access. It’s that it’s trivial to invoke it, and that the access happens over the regular network line.

A few days ago, Intel issued an advisory that all its systems less than ten years old were vulnerable to remote takeover by read and write; somebody could use sidestep the installed operating system, invoke the hardware management circuits, and access the server’s memory. In terms of badness, this is “really really bad”, but usually, such exploits are really complicated to invoke.

This morning, researchers at Tenable posted a writeup on how they had independently found the same vulnerability.

In order to get administrator privileges to the server memory, all you needed to do was to submit a blank password field instead of the expected privileged-access password hash, and you would have unlimited and unlogged read/write access to the entire server memory.

It would appear that the fault stems from being overprotective against buffer overrun vulnerabilities (limiting the password check to the length of the provided input) but getting the logic catastrophically wrong in the process.

It’s hard to overstate how catastrophic this is. I want to underscore, again, that this is independent of the operating system and independent of whatever you’re running on the machine. We also learn from Intel that the vulnerable management system works on your ordinary wired LAN, essentially hijacking a couple of ports for its own purposes from your normal traffic — so it’s not a matter of a vulnerability on a separate physical port, as would have been the case on some motherboards with separate management ports.

Let’s take that again: a blank password to an always-open port sidesteps every single bit of authentication and security that is otherwise present. This means, among other things:

If you have a firewall on an Intel box, that firewall is compromised through its exposure to the outside world (which it is supposed to protect from).

If you are running anything virtualized on an unfixed Intel box, then the memory of all of those machines, as well as their virtual hardware, are accessible by connecting to the server on an always-open port and say “Hi, I’m Administrator with a blank password”.

If you’re running a virtualized firewall as a VM protecting other VMs on an Intel server, with a physical uplink connected directly to the physical Intel machine and downstream traffic firewall-separated by VLANs, then all of those VMs are somebody else’s by now, including their hardware.

According to Intel, this management system operates on ports 623, 664, 5900 (VNC), and 16992-16995. If your server is answering on any of those ports – and you should check your firewall too – then you should act very quickly on this, now that details of the exploit are in the wild. If your server is not answering on those ports, that still doesn’t mean you’re in the clear, but that more investigation is needed.

Your security remains your own responsibility.

Comments are closed.

9 Comments

  1. Mike Blaszczak

    The writing here is terrible. Who edits this stuff?

    7 years ago
    1. Jivefly

      What’s so terrible about it? If it bothers you so much, edit it and send it to the author.

      7 years ago
      1. Mike Blaszczak

        Great idea! Because I work for free, right?

        7 years ago
      2. Mike Blaszczak

        It barely makes sense. Just like working for free for someone else barely makes sense. Why in the world should I do their work for them?

        7 years ago
  2. Anonymous
    7 years ago
  3. son of kinth

    “Your security remains your own responsibility” – a big F-ing hole has been discovered on a majority of servers on the planet and it’s the users’ responsibility to plug it?

    7 years ago
    1. Cernael

      If you’re capable of doing it, you should. No one else will do it for you fast enough.

      It’s not about whose blame it is, it’s about who you actually can rely on. Sitting back and expecting Intel to fix it for you amounts to nothing short of learned helplessness.

      7 years ago
  4. LennStar

    But that is not write access to harddisk?

    7 years ago
    1. Falkvinge

      The service cannot access the hard drive directly. However, it can write instructions to memory to do so. Therefore, this vector can be used to access hard drives.

      7 years ago