Intel has finally patched a security vulnerability that has existed in many of its chips since the days of Nehalem in 2008 all the way through 2017’s Kaby Lake.
In an advisory published May 1, Intel describes the vulnerability as an elevation of privilege type with a critical severity rating.
It is found in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5 and 11.6 and can allow an attacker to “gain control of the manageability features provided by these products.”
Specifically, Intel says there are two ways the vulnerability can be accessed:
- An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM) (CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT) (CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
SemiAccurate, which says it has been pestering Intel to fix the issue for “literally years,” claims there is literally no Intel box made in the last 9+ years that isn’t at risk although Intel specifically states that “this vulnerability does not exist on Intel-based consumer PCs.”