Understanding the Vulnerability in Intel’s Management Technology

Recently, social media and news sources have been thoroughly covering a vulnerability in Intel’s various management technologies. Although there is definitely reason to be concerned, there appears to be a bit of misinformation about the vulnerability, likely either due to sensationalism or lack of research. As such, I felt it beneficial to provide a view into the situation based on reliable referenced sources to help you determine whether or not you should be concerned.

Discovery

The vulnerability in question was identified by information security researcher Maksim Malyutin from Embedi in mid-February 2017. The vulnerability highlights a condition that allows an attacker to bypass authentication in Intel’s management technologies when using digest authentication.  This concern becomes somewhat greater when paired with a built-in admin account that always utilizes digest authentication, regardless of what form of authentication may be used for normal enterprise systems management.

In digest authentication, a cryptographic hash of the password being used for authentication is sent from the client in order to protect the actual password being used for authentication. The password is combined with a random and session-specific value (called a nonce) to prevent an attacker from capturing an authentication and replaying it. Digest authentication is non-proprietary, thus ensuring authentication will be widely compatible with browsers and other integrating technologies.

To validate the accuracy of the password, the server (in this case, the Intel management technology firmware) combines its copy of the known plaintext password with the nonce and performs its own MD5 hash. Now that we have two strings that should be identical, we are able to compare them to determine if the correct password was supplied.

The Vulnerability

The vulnerability in question resides in how data is supplied to the string comparison function used for digest authentication. The function utilized, strncmp(str1, str2, size_t), is a C++ function that compares two strings to determine if size_t or greater characters match between them.

The vulnerable condition arises because the authentication system trusts user input when providing a value for size_t – the number of characters that match between the two strings. A MD5 hash will always produce a 128 bit result that, when converted to a hexadecimal string, will always be 32 characters long. In all normal conditions, any password provided to the authentication function would fail – even when blank – because a single character change in a string undergoing a MD5 hash would result in an entirely different string.

As we can see from the reverse engineering notes provided by Maksim, the value for size_t is obtained based on the length of the string provided by the authenticating client. This means that if a hacker were to craft a custom HTTP authentication packet with a null string instead of a MD5 of a password, the resulting function call would look something like this:

Strncmp(“CorrectMD5PasswordHashFromDatabaseWithNonce”, “”, 0)

As long as zero or more characters match between the null string and the correct password hash the authentication will succeed. Most likely, the fix for this vulnerability was either explicitly specifying 32 for size_t to ensure that 32 characters must always match, or changing the function to strcmp(str1, str2) which compares the strings without regard to length.

Impact

Attackers who identify and exploit this vulnerability will be able to bypass authentication to Intel’s management technology, as long as the user is authenticated using digest authentication. Given that there is a built-in admin account which must leverage digest authentication, all vulnerable versions of Intel’s firmware are likely at risk.

Intel’s management system provides a number of capabilities designed to simplify administration of their endpoints, including remote keyboard, video, and mouse (KVM), secure disk wipe, mounting logical volumes over a network, and changing boot order. All capabilities are provided without requiring support from the operating system, thus it is unlikely that any operating system mitigations will impact the availability of this vulnerability.

Based on the documented capability of Intel’s management technology, this means that impact to a vulnerable system may allow remote console sessions to be established, could enable a denial of service by wiping the machine’s drives, and could allow an attacker to boot the system off of media provided by the attacker.

Mitigating Factors

• Intel’s management technology is only available on enterprise SKU’s and is disabled by default
• Intel’s management technology is published using TCP ports that are less likely to be published through an organization’s firewall (TCP ports 16992 and 16993)
• Intel has published a mitigation guide to help affected customers address the vulnerability
• Updated firmware has been provided by Intel that addresses these vulnerabilities

Public Articles

The vulnerability in question is published in the NIST National Vulnerability Database (NVD) and Mitre’s Common Vulnerabilities and Exposures database as CVE-2017-5689. Additionally, Intel confirmed the presence of this vulnerability and has published a security article, ID INTEL-SA-00075 discussing the condition and providing links to updated firmware, which should be deployed to any affected endpoints to resolve this issue.

References

1. NIST National Vulnerability Database – CVE-2017-5689 https://nvd.nist.gov/vuln/detail/CVE-2017-5689
2. Mitre Common Vulnerabilities and Exposures – CVE-2017-5689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
3. Intel Security Advisory INTEL-SA-00075 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
4. Embedi White Paper Silent Bob is Silent https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
5. Microsoft – How Digest Authentication Works https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx
6. Strncmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strncmp/
7. Strcmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strcmp/
8. Intel Active Management Technology Start Here Guide https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
9. INTEL-SA-00075 Mitigation Guide https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20Mitigation%20Guide-Rev%201.2.pdf

DISCLAIMER

All information used for this article is available in the references section and is not a result of any form of code review or penetration test on my part. Opinions within this article are avoided, but where present do not represent that of any employers, business partners, or other business associates. The accuracy of this article is directly a result of the accuracy of the referenced articles. Although sources referenced are reputable and not expected to be incorrect, I apologize for any errata that may occur through use of incorrect data from these sources.