Written byShaun Waterman
Manufacturers of the millions of business PCs, laptops and servers using Intel chips with a newly discovered critical security vulnerability say they are working as fast as they can to distribute the fix to customers. But only two companies so far issued a timetable for rolling out patches, and the schedule already stretches deep into June, meaning many users will have to wait more than a month for a fix.
In a statement sent Friday to CyberScoop, Intel said, “We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software.”
The vulnerability, which the company reported May 1, allows an attacker to bypass the password protection on Intel’s special remote-administration firmware, known as Advanced Management Technology. AMT is firmware, meaning it runs on the microprocessor chip itself, beneath the operating system, completely bypassing any security precautions or software. Unless manufacturers ship products with AMT enabled, the vulnerability is only exploitable with physical access to the machine.
Nevertheless, the technical details of the vulnerability — dubbed “Silent Bob” by its discoverers — which emerged Friday sent some some cyber mavens into meltdown. With the release, writing exploit code would be “trivial … About five lines of Python [computer code]. Maybe ten if you make it pretty,” wrote Tatu Ylonen, the inventor of Secure Shell, on a special web page he put together carrying news about the vulnerability.
“If you have anything connected to the Internet with AMT on, disable it now. Assume the server has already been compromised,” he said, adding that users would have to leave AMT disabled until a patch was available.
That might be a month or more for many products. Lenovo was the first manufacturer out of the gate with a patching schedule on Wednesday. The company says its ThinkPad, ThinkServer and ThinkStation product lines are all affected and it will start rolling out patches next week. HP said dozens of their computers, including many in the Compaq, EliteBook and Z1 workstation product lines were affected and they also promised to start rolling out firmware patches next week.
HP Enterprise said they were still ascertaining whether many of their products were impacted or not, but confirmed that their Proliant and EdgeLine servers were affected. They blamed Intel for the delay in patching those products. “HPE is waiting on the updated firmware from Intel. Once this is available, HPE will complete the integration and testing,” the company said in a security advisory.
Dell, the only other company that had notified the U.S. Computer Emergency readiness Team, or US-CERT, that its products were affected, said simply in a statement that “We are diligently working on mitigation and will release firmware update details for these products as they become available.”
Cisco is the only company to have so far given its products a clean bill of health — saying their Intel products use Server Platform Services, not AMT — but it will likely not be the last. Manufacturers can either uninstall the AMT firmware in the factory, or just leave it switched off. There seems to be some confusion about whether the second case leaves the computer at risk in some way.
Intel also released a discovery tool which users can download to check if their computers are impacted by Silent Bob.
As manufacturers scramble to patch the security flaw — which has been classified CVE-2017-5689 — more details began to emerge about it. Embedi, the company whose researcher Maksim Malyutin first discovered the vulnerability in February, published a full technical breakdown Friday — with Intel’s permission.
“First of all,” reads the Embedi blog post, “you should remember that Intel AMT provides the ability to remotely control the computer system even if it’s powered off (but connected to the electricity mains and network).”
Embedi dubbed the vulnerability, which effectively enables an administrative logon to AMT with a blank password, “Silent Bob.”
Controlling the AMT functions means being able to remotely control the mouse and keyboard inputs, “Which means you can remotely load [and] execute any program to the target system,” Embedi states, adding you can also change the boot instructions and edit the BIOS.