Not The Best Intel Month

So far, the 2018 has been catastrophic for Intel.

Three major vulnerabilities were found in a very short span of time, and Intel team cannot catch up fast enough with the patching and the security updates.

The newest one is from the 12th of Jan and disclosed by a Finnish Security Company (F-Secure). It uses a bug in the AMT (Active Management Technology) feature of certain Intel based systems. The AMT was designed as a helping tool for administrators to assist with managing their vast fleet of endpoints but bad implementation makes all of these devices completely unsecure when physically accessible.

The attack is extremely simple and allows for anybody (without any particular technical skills) to launch it. Basically, the baddy needs only to reload/shutdown and power up the endpoint that has Intel AMT enabled, then despite all authentications (like BIOS password or OS authentication) the baddy needs only to do Ctrl+P during book process (which takes him/her to MEBx (Management Engine BIOS extension) login and use the default password (admin) to login. Next steps are simple, change the password so nobody can access and change back the settings or disabled the AMT, and allow remote access to the endpoint (there is even an option to not allow the legal user to stop this. After that physical access to the endpoint is not needed, the attacker can manage the machine as long they are on the same network (wireless or wired). The attack is dangerous, because it’s so simple to implement, takes no more than 30 seconds, gives full access to the endpoint and bypasses other security controls. The recommended actions to protect AMT enabled endpoints are quite logical: change default pass to complex secure password, disabled AMT if you are not using it, and keep an eye on your endpoint and do not give anybody else physical access to it.

We have all heard by now about the other major vulnerabilities that were recently disclosed, namely the famous Meltdown and Spectre. We will not discuss in detail how these attacks work as that was already covered in detail and available from many sources but would like to summarise how this is affecting end users and other vendors in the chain.

First, the official and best way to be protected against these two attacks is to change the chips but obviously that is not really a feasible solution for many end users and companies. Major OS vendors have taken steps to patch their respective OS.

Microsoft has patched Windows 10 fairly quickly and just recently (9th of Jan) patched Windows 7 and 8 for the Meltdown vulnerability. A note – users are urged to check if the patches were successfully installed as some anti-virus systems (including Windows Defender and Microsoft Security Suit) can prevent the patch to be installed.

Apple has been bold in saying despite all their systems being vulnerable to Meltdown and Spectre, there is no well-known exploits impacting their customers. Still Apple released released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2.

Android – Google has released its patches on the monthly security patch on the 5th of Jan. However, they would immediately become available only for pure Google phones (Pixel and Nexus), all the rest of the android users need to wait for their retrospective vendors to release patches.

Firefox browser – Mozzila released a patch and recommends all user to update Firefox to version 57.0.4.

Chrome – The patch is included in the new 64 bit version of the browser that will be released on the 23th of Jan. If you want added security Google recommends you use the Site Isolation experimental feature.

Linux – the Linux kernel developers have reacted quickly and patches are available for most used kernel versions.

Due to the nature of the attack (possibility of seeing memory from other applications) the virtualization platforms were badly affected. The two largest vendors, VMware and Citrix however, have decided to take completely different actions courses.

VMware released security patches for all of his affected major products – ESXi, Fusion and Workstation. We need to note here that the patch helps only with Meltdown attack.

Citrix has decided not to release security patches but transfer the risk to its clients and recommends them to check for any patches on 3rd party software.

It is worth mentioned also that most of the OS based patches (not browser patches) are created only to protect again the Meltdown attack as the Spectre is harder to patch and security experts believe it will be around for some months and maybe years to come.

Related materials:

https://thehackernews.com/2018/01/intel-amt-vulnerability.html

https://thehackernews.com/2018/01/meltdown-spectre-patches.html

https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html