Critical Intel Active Management Technology Flaw Allows Privilege Escalation

Intel patched a critical privilege escalation vulnerability in its Active Management Technology (AMT), which is used for remote out-of-band management of PCs.

AMT is part of the Intel vPro platform (Intel’s umbrella marketing term for its collection of computer hardware technologies) and is primarily used by enterprise IT shops for remote management of corporate systems. The flaw can be exploited by an unauthenticated attacker on the same network, in order to gain escalated privileges. The issue (CVE-2020-8758), found internally by Intel employees, ranks 9.8 out of 10 on the CVSS scale, making it critical severity, according to Intel in a Tuesday security advisory.

“While we are not aware of the AMT issue being used in active attacks, Intel has provided detection guidance to various security vendors who have released signatures into their intrusion detection/prevention products as an extra measure to help protect customers as they plan their deployment of this update,” Jerry Bryant, director of communications with Intel Product Assurance and Security, said in a security advisory posted Tuesday.

Click to Register

The flaw stems from improper buffer restrictions in a third party component network subsystem within Intel AMT (and Intel’s Standard Manageability solution, ISM, which has a similar function as AMT).

One important factor that impacts how difficult the flaw is to exploit is whether or not AMT is “provisioned.” In order to use AMT, systems must go through a process called “provisioning.” This process is used to connect the computer to a remote computer used to manage it (for instance, inserting a specially formatted USB drive).

If AMT is provisioned, it may allow an unauthenticated user to potentially enable escalation of privilege via network access. However, an attacker would need to be authenticated and have local access to exploit the flaw if the AMT system is unprovisioned (if the system is unprovisioned, the flaw also has a lower CVSS score of 7.8 out of 10).

“If the platform is configured to use Client Initiated Remote Access (CIRA) and environment detection is set to indicate that the platform is always outside the corporate network, the system is in CIRA-only mode and is not exposed to the network vector,” said Bryant.

Affected are Intel AMT and Intel ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39.

“Intel recommends that users of Intel AMT and Intel ISM update to the latest version provided by the system manufacturer that addresses these issues,” according to Intel’s advisory.****

Intel AMT has had security issues before. Earlier in June, Intel patched two critical flaws (CVE-2020-0594 and CVE-2020-0595) exist in the IPv6 subsystem of AMT. The flaws could potentially enable an unauthenticated user to gain elevated privileges via network access. And, a loophole in 2018 found in AMT was discovered that could have allowed an attacker to bypass logins and place backdoors on laptops, allowing adversaries remote access to laptops.

On Wed Sept. 16 @ 2 PM ET:** Learn the secrets to running a successful Bug Bounty Program.Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this**LIVE** webinar.**