The Intel remote vulnerability is much, much worse than you thought

The Intel remote vulnerability which was recently disclosed has been discussed in more detail, and it’s much, much worse than you thought. It’s not just that the Intel servers are vulnerable to remote access. It’s that it’s trivial to invoke it, and that the access happens over the regular network line.

A few days ago, Intel issued an advisory that all its systems less than ten years old were vulnerable to remote takeover by read and write; somebody could use sidestep the installed operating system, invoke the hardware management circuits, and access the server’s memory. In terms of badness, this is “really really bad”, but usually, such exploits are really complicated to invoke.

This morning, researchers at Tenable posted a writeup on how they had independently found the same vulnerability.

In order to get administrator privileges to the server memory, all you needed to do was to submit a blank password field instead of the expected privileged-access password hash, and you would have unlimited and unlogged read/write access to the entire server memory.

It would appear that the fault stems from being overprotective against buffer overrun vulnerabilities (limiting the password check to the length of the provided input) but getting the logic catastrophically wrong in the process.

It’s hard to overstate how catastrophic this is. I want to underscore, again, that this is independent of the operating system and independent of whatever you’re running on the machine. We also learn from Intel that the vulnerable management system works on your ordinary wired LAN, essentially hijacking a couple of ports for its own purposes from your normal traffic — so it’s not a matter of a vulnerability on a separate physical port, as would have been the case on some motherboards with separate management ports.

Let’s take that again: a blank password to an always-open port sidesteps every single bit of authentication and security that is otherwise present. This means, among other things:

If you have a firewall on an Intel box, that firewall is compromised through its exposure to the outside world (which it is supposed to protect from).

If you are running anything virtualized on an unfixed Intel box, then the memory of all of those machines, as well as their virtual hardware, are accessible by connecting to the server on an always-open port and say “Hi, I’m Administrator with a blank password”.

If you’re running a virtualized firewall as a VM protecting other VMs on an Intel server, with a physical uplink connected directly to the physical Intel machine and downstream traffic firewall-separated by VLANs, then all of those VMs are somebody else’s by now, including their hardware.

According to Intel, this management system operates on ports 623, 664, 5900 (VNC), and 16992-16995. If your server is answering on any of those ports – and you should check your firewall too – then you should act very quickly on this, now that details of the exploit are in the wild. If your server is not answering on those ports, that still doesn’t mean you’re in the clear, but that more investigation is needed.

Your security remains your own responsibility.