Patch/Configuration Management, Vulnerability Management

UPDATE: Intel warns of longstanding critical vulnerability in firmware

Intel issued an advisory on Monday warning of a critical escalation of privilege vulnerability in its firmware that can enable attackers to seize control of its products' manageability features.

According to an Intel Vulnerability Tracking Page set up by SSH Communications Security, Intel has provided OEM partners with a fix, though none of the OEMs has yet released updated firmware. 

Specifically, the flaw was found in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology, firmware versions 6 through 11.6. Various reports state that the bug dates back to approximately 10 years ago.

According to Intel, there are two ways an attack can potentially access the vulnerability: "an unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs" or "an unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs." The first method does not apply to Intel Small Business Technology.

“It is stunning that a vulnerability this severe can exist in practically every Intel server. If, as some sources now say, Intel has known of this vulnerability for years, it can only be an intentional backdoor," Tatu Ylonen, founder and SSH fellow, SSH Communications Security, said in comments sent to SC Media. "It undermines the very fabric of information society. This vulnerability could cause many billions of dollars of damage to enterprises if weaponized against their servers and data. The impact can also be particularly long-term if their internal cybersecurity systems are compromised as a result of this vulnerability.”

Intel advises that affected customers check with their system OEM for updated firmware. For those who cannot yet update their firmware, the company has published a document that details steps for mitigation.


UPDATE: This story has been updated to alert readers that Intel has provided OEM partners with a fix, though none of the OEMs has released it yet, and include commentary from Tatu Ylonen, founder and SSH fellow, SSH Communications Security.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.