Intel has announced its Active Management Technology (AMT), Standard Manageability (ISM), and Small Business Technology (SBT) firmware has been vulnerable to a pair of privilege escalation issues that could allow an attacker to remotely take control of a machine.
The first, found on AMT and ISM units could allow a remote unprivileged attacker to "gain system privileges to provisioned [chips]," Intel said. The second would allow a local attacker to gain "unprivileged network or local system privileges" on chips with AMT, ISM, and SBT.
Chips from Intel's 2008-released Nehalem architecture onwards are impacted by the vulnerabilities if they run manageability firmware between versions 6 and 11.6.
"Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability," the chip giant said in its mitigation guide [PDF].
"When configured, Intel AMT and ISM automatically listen for management traffic over your computer network."
Traffic received over ports 16992, 16993, 16994, 16995, 623, and 664 on a machine using AMT have the data routed directly to the management engine, bypassing the main CPU.
According to CoreOS security engineer Matthew Garrett, users should ensure AMT is disabled.
"Fixing this requires a system firmware update in order to provide new ME [management engine] firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix," he said. "Anyone who ever enables AMT on one of these devices will be vulnerable.
"That's ignoring the fact that firmware updates are rarely flagged as security critical (they don't generally come via Windows Update), so even when updates are made available, users probably won't know about them or install them."
Intel said the vulnerability does not affect its consumer chips as they are without vPro technology.
The chip giant thanked Maksim Malyutin from Embedi for reporting the issue, although the team at SemiAccurate claimed they discovered it in research over five years ago.