Y'all might have seen this already, but just in case you haven't: there is a huge hole in the security for Intel's AMT set-up. It's a chipset-level thing that allows e.g. network admins to gain remote access to a machine independent of the OS. Various processors made from 2010 on have the capability, but not every machine that uses them will have the vulnerable software.

The vulnerability itself is laughably obvious. You log into the AMT firmware via simple HTTP requests. As part of the login, it looks for the response in the HTTP header. Unfortunately, it then checks it like this:

  if(strncmp(computed_response, user_response, response_length))
       deny_access();

For the non-programmers out there, strncmp works like this. It checks the first two items (strings in this case) to see if they're the same. But it only uses response_length bytes to do it. In other words, if response_length is 2, it will only compare the first 2 bytes of the strings. This normally wouldn't be as big of a deal, since we're dealing with hashed text. The way the function is supposed to work is that it looks at those two strings, and if they're different, it returns something other than 0, and denies access.

Unfortunately, response_length is generated from user_response. This means that if the user_response is 0, then it compares the first 0 bytes of the two strings. These are by definition identical, so strncmp returns 0, and grants access. In other words, all you have to do is send an empty password and you're allowed in.

This is a surprisingly big whoopsie. El Reg includes some links on how to see if this stuff is enabled on your machine (if you're not in an enterprise set-up, it probably isn't). Intel has released a patch already, but not every manufacturer has passed along the update.