Thousands Of Enterprise PCs Potentially Affected By Intel vPro Security Flaw

Thousands of enterprise PCs could potentially be vulnerable to a security flaw on Intel's vPro processors, enabling hackers to hijack computers remotely, Intel acknowledged on Monday.

The news comes a week after Intel said there is a critical flaw in the remote management features of processors in its Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability technology. 

The security flaw affects vPro processors that business customers purchase and deploy for large fleets of computers. The flaw can potentially allow attackers to gain control of the manageability features on these products, according to Intel. According to a report by Ars Technica, a Shodan security engine search found that 8,500 systems with the active management technology worldwide are exposed, with almost 3,000 systems in the U.S. exposed.

[Related: Intel Advisory On Vulnerability For Remote Access Of Enterprise PCs Spotlights A 'Big Selling Feature For VARs']

"The security and confidence of the people and businesses who use Intel products and technologies are paramount to us, and we are doing everything we can to address the situation as quickly as possible," said an Intel spokesperson in a statement.  "We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software." 

The Intel statement added that the company expects computer makers to "make updates available beginning the week of May 8 and continuing thereafter." The company declined to comment on the security flaw's potential impact on the channel.

Kent Tibbils, vice president of marketing at ASI, a Fremont, Calif.-based Intel system builder, said the vPro security flaw opens up opportunities to talk to customers about security.

"In terms of opportunity for resellers, I don’t think the opportunity is in how to fix this issue by installing the firmware but it could be used as part of a larger discussion about system and network security that, depending on the business, might involve things like data encryption, as an example," Tibbils said.

According to Intel, the flaw impacts Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for its Active Management Technology, Small Business Technology, and Standard Manageability platforms.

Consumer PCs and Data Center Servers using Intel Server Platform Services are not affected by this vulnerability, according to Intel.

Intel said that the vulnerability could be exploited in two ways – through an unprivileged network attack who can access system management to manageability SKUs, and through an unprivileged local attack who can use manageability features and gain network or local system privileges on Intel's technology.

Computer manufacturers, including HP, Lenovo, Fujitsu, and Dell, have issued advisories for their models this week. Intel, meanwhile, said more manufacturers are expected to release a patch this week, which updates Intel's firmware.

Read more articles on: