Intel AMT authentication bypass vulnerability

Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them. AMT web management interface comes pre-installed on the Intel-based chipsets, accessible even when the computer is sleeping.

The vulnerability is the first of its kind. The exploitation of this issue allows the attacker to get full control over computers, remotely change the boot device, remote control of mouse/keyboard/monitor, even if they are sleeping (turned off) but still plugged into an outlet.

To exploit this vulnerability, you need to send a blank or null into “response\s*=”[0-9a-f]+”. You can use any proxy tool that supports find_and_replace function then replace the (response\s*=”[0-9a-f]+) with (response=””), by using Burp Suite, you can do the replacement and log into the AMT web interface with the user admin and any password.

That’s mean an attacker may now get the credential using this vulnerability and still be able to use the Intel AMT web interface by accessing the ports 16992/16993 to perform a successful attack.

The vulnerability affects the following firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel’s AMT. All intel customers are recommended to install the new firmware patch to avoid any attacks or disable the Intel Active Management Technology on windows by using the DisableAMT.exe tool.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Glove Stealer Emerges A New Malware Threat For Browsers

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA