Intel® Active Management Technology Software Development Kit Remote Code Execution

Intel ID:  INTEL-SA-00023
Product family:  Intel® Active Management Technology (Intel® AMT) Software Development Kit (SDK)
Impact of vulnerability Elevation of Privilege
Severity rating Important
Original release:  Mar 29, 2010
Last revised:  Mar 29, 2010
Summary: 

Intel® Active Management Technology (Intel® AMT) Software Development Kit (SDK) is the development framework for the independent software vendors (ISVs) to develop manageability applications that interact with Intel® AMT-enabled systems. Updated software which corrects a potential stack overflow issue is available for the ISVs to update their applications developed using the SDK.

Description: 

This issue does not affect Intel® Active Management Technology implementation on Intel® vProTM technology based platforms.
 
Intel AMT enabled management console applications developed by the independent software vendors (ISVs) using the SDK prior to the public release of Intel® AMT SDK Release 6.0 may be affected by this issue. The potential vulnerability in the SDK's redirection libraries could allow an unauthenticated attacker to insert malicious code during the redirection session establishment. Intel has released a software update to the SDK for the ISVs to resolve this issue.
 
For AMT management console application developers: The ISVs utilizing this SDK should replace the redirection libraries in their application from the updated SDK and provide software update recommendation to the application users.
 
For AMT management console application users: The users of the AMT management console application should contact the respective application provider to determine if their application may be affected.

Affected products: 

While Intel is not aware of any use of the potential vulnerability described in this advisory, Intel has made changes to Intel® AMT SDK to resolve this issue. Intel highly recommends the independent software vendors (ISVs) to include the updated libraries into their affected application. The updated SDK which resolves this issue is available at http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/.

Recommendations: 

Libraries to be replaced for Windows*:
·         imrsdk.dll
·         kvmlib.dll
Libraries to be replaced for Linux*:
·         libimrsdkRH5.a
·         libimrsdkRH5_X64.a
·         libimrsdkSuSE10.a
·         libimrsdkSuSE10_X64.a
·         libimrsdkSuSE11.a
·         libimrsdkSuSE11_X64.a
 
It is expected that the ISVs would provide corresponding software updates to their affected application users.
 

* other brands and names may be claimed as the property of others.

Revision history: 

Revision
Date
Description
1.0
29-March-2010
Initial release


Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

For issues related to Intel managed open source projects, please visit http://www.01.org/security.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.