Intel AMT Firmware Vulnerability CVE-2017-5689

This page by SSH collects information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689).
Your servers are in danger now through Intel AMT technology! 

AMT enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets. Essentially, AMT allows remote access to the system’s memory and disk over the network while the operating system is running. 

The exploit is trival, max five lines of Python, could be doable in one-line shell command. IT GIVES FULL CONTROL OF AFFECTED MACHINES, INCLUDING ABILITY TO READ AND MODIFY EVERYTHING.


For data centers, if you can, FIREWALL THEM OFF. Block ports 16992, 16993, 16994, 16995, 623, 664 NOW.

See Embedi white paper on the Intel AMT Vulnerability Exploitation details

In essence, the web user interface uses HTTP digest authentication for the admin account. Send an empty digest response, and you are in. That simple. 

This is worse than giving everyone root access on every server whose AMT port they can communicate with. And to every virtual machine, container, and database running on those servers.

I wish the world would have been given a few weeks to fix this.

Expect exploits over the weekend. 


  1. Tomi Engdahl says:

    Neutralizing the Intel Management Engine on Librem Laptops

    Ladies and Gentlemen, Clean Your Engines!
    I am happy to say that neutralizing the ME works! I investigated the effectiveness of neutralizing the Management Engine using the me_cleaner tool (which is an amazing feat of the community

  2. Tomi Engdahl says:

    Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
    As creator of OS on the chips calls out Chipzilla

    Positive Technologies, which in September said it has a way to drill into Intel’s secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

    The biz has already promised to demonstrate a so-called God-mode hack this December, saying they’ve found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

    For those who don’t know, for various processor chipset lines, Intel’s Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you’re managing large numbers of computers\, especially when an endpoint’s operating system breaks down and the thing won’t even boot properly.

    Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

    For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB.

    With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited ta a later date.

  3. Tomi Engdahl says:

    Google Working To Remove MINIX-Based ME From Intel Platforms

    Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore.

    Google Working To Remove MINIX-Based ME From Intel Platforms,35876.html

    Intel’s Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX’s presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world.

    Intel’s ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn’t much public knowledge of the workings of the ME, especially in its current state. It’s not even clear where the hardware is physically located anymore. At its inception in 2006, the ME was reportedly located on the MCH (northbridge), but when that became integrated into the CPU beginning with Nehalem, ME was moved to the PCH (current-day “southbridge”).

    Where the ME’s code is stored also isn’t clear. Intel has said that it, at least at one point, was loaded into system DDR RAM. The ME has access to many, if not all, of the platform’s integrated devices, such as Intel network controllers. It can also access the main system RAM (the DDR RAM) through DMA. Much has changed in Intel’s platform since some of this was reported, however, so the state of ME now isn’t well understood. Intel, of course, keeps many of the details veiled in secrecy for security purposes.

  4. Tomi Engdahl says:

    Well, crap. It might have finally happened. [Maxim Goryachy] and [Mark Ermolov] have obtained fully functional JTAG for Intel CSME via USB DCI. What the hell does that mean? It means you can plug something into the USB port of a computer, and run code on the Intel Management Engine (for certain Intel processors, caveats apply, but still…). This is doom. The Intel ME runs below the operating system and has access to everything in your computer. If this is real — right now we only have a screenshot — computer security is screwed, but as far as anyone can tell, me_cleaner fixes the problem. Also, Intel annoyed [Andy Tanenbaum].


    Tool for partial deblobbing of Intel ME/TXE firmware images

  5. Tomi Engdahl says:

    Is Intel’s Management Engine Broken yet?

    Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top of the cake is that they are able to do it via a USB port acting as a JTAG port. Does this mean the zombie apocalypse is coming?

    Before the Skylake CPU line, released in 2015, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer’s chassis. Starting with the Skylake CPU, Intel replaced the ITP-XDP interface and allowed developers and engineers to access the debugging utility via common USB 3.0 ports, accessible from the device’s exterior, through a new a new technology called Direct Connect Interface (DCI). Basically the DCI provides access to CPU/PCH JTAG via USB 3.0. So the researchers manage to debug the IME processor itself via USB DCI, which is pretty awesome, but USB DCI is turned off by default, like one of the researchers states, which is pretty good news for the ordinary user. So don’t worry too much just yet.

  6. Tomi Engdahl says:

    Intel Chip Flaws Leave Millions of Devices Exposed

    Security researchers have raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research.

    Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
    Bugs can be exploited to extract info, potentially insert rootkits

    Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.

    The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.

    In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:

    6th, 7th and 8th Generation Intel Core processors
    Intel Xeon E3-1200 v5 and v6 processors
    Intel Xeon Scalable processors
    Intel Xeon W processors
    Intel Atom C3000 processors
    Apollo Lake Intel Atom E3900 series
    Apollo Lake Intel Pentiums
    Celeron N and J series processors

    The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.

    It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.

    The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.

    Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.

  7. Tomi Engdahl says:

    Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update

    In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

    As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.

    Affected products:

    6th, 7th & 8th Generation Intel® Core™ Processor Family
    Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
    Intel® Xeon® Processor Scalable Family
    Intel® Xeon® Processor W Family
    Intel® Atom® C3000 Processor Family
    Apollo Lake Intel® Atom Processor E3900 series
    Apollo Lake Intel® Pentium™
    Celeron™ N and J series Processors

    Intel has released a downloadable detection tool located at , which will analyze your system for the vulnerabilities identified in this security advisory.

    Intel highly recommends checking with your system OEM for updated firmware. Links to system manufacturer pages concerning this issue can be found at

    Intel highly recommends that all customers install the updated firmware and Intel® Capability License Service on impacted platforms.

  8. Tomi Engdahl says:

    U.S. government warns businesses about cyber bug in Intel chips

    The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

    The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

    Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

    For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

  9. Tomi Engdahl says:

    To fix Intel’s firmware fiasco, wait for Christmas Eve or 2018
    And cross your fingers: ‘TBD’ is the scheduled date for hundreds of PC fixes

    The world’s top PC-makers have started to ship fixes for the multiple flaws in Intel’s CPUs, but plenty won’t land until 2018.

    The flaws struck multiple flaws in Intel’s Management Engine, Server Platform Services, and Trusted Execution Engine and make it possible to run code that operating systems – and therefore sysadmins and users – just can’t see.

    Intel acknowledged the bugs after Positive Technologies publicised attack vectors for the flaws.

    PC-and-server-makers have since rushed to advise of their fixes, but not all have made them available immediately.

    Lenovo’s advisory listed seven machines for which the date of fix delivery is “TBD” – to be determined.

    That’s a lovely small number compared to Acer, which has given 240 models the TBD treatment.

    It’s therefore making Dell look good: it has just 191 TBD PCs.

    HPE appears to have downloads ready to go, but Fujitsu’s only readied them for Japanese and EMEA customers

    It gets worse: plenty of the affected CPUs were sold to manufacturers of network attached storage or other appliances.

  10. Tomi Engdahl says:

    Device Manufacturers Working on Patches for Intel Chip Flaws

    Acer, Dell, Fujitsu, HPE, Lenovo, Intel and Panasonic are working on releasing patches for the recently disclosed vulnerabilities affecting Intel CPUs, but it could take a while until firmware updates become available to all customers.

    After external researchers identified several potentially serious vulnerabilities affecting its Management Engine (ME) and Active Management Technology (AMT), which allow users to remotely manage computers, Intel has decided to conduct a comprehensive review of the products.

    The analysis revealed the existence of several vulnerabilities in ME, Trusted Execution Engine (TXE) and Server Platform Services (SPS). The security holes can be leveraged to impersonate the ME, SPS and TXE services and impact the validity of local security feature attestation, execute arbitrary code without being detected by the user or the operating system, and crash the system or make it unstable.

  11. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    PC vendors scramble to issue patches after Intel announced firmware flaws allowing remote code execution affecting a wide range of chips and millions of devices

    PC vendors scramble as Intel announces vulnerability in firmware [Updated]
    Millions of computers could be remotely hijacked through bug in firmware code.

    Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.

    The bugs affect the following Intel CPUs:

    Intel Core processors from the 6th generation (“Skylake”), 7th generation (“Kaby Lake”), & 8th Generation (“Kaby Lake-R” and “Coffee Lake”) families—the processors in most desktop and laptop computers since 2015;
    Multiple Xeon processor lines, including the Xeon Processor E3-1200 v5 & v6 Product Family, Xeon Processor Scalable family, and Xeon Processor W family;
    The Atom C3000 Processor Family and Apollo Lake Atom Processor E3900 series for networked and embedded devices and Internet of Things platforms, and
    Apollo Lake Pentium and Celeron™ N and J series Processors for mobile computing.

    The highest-level vulnerabilities, rated at 8.2 and 7.5 on the Common Vulnerability Security Scale (CVSSv3) respectively, are in the most recent versions of Intel Management Engine. They have the broadest impact on PC users: they allow arbitrary remote code execution and privileged information access. Dell has issued a statement on the MX advisory that lists more than 100 affected systems, including a variety of Inspiron, Latitude, AlienWare, and OptiPlex systems; Lenovo has a similarly vast list posted on its site.

  12. Tomi Engdahl says:

    Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
    Bugs can be exploited to extract info, potentially insert rootkits

  13. Tomi Engdahl says:

    Linux laptop-flinger says bye-bye to buggy Intel Management Engine
    ‘Disabling the ME will reduce future vulnerabilities’

    In a slap to Intel, custom Linux computer seller System76 has said it will be disabling the Intel Management Engine in its laptops.

    Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers.

    One of the most important vulnerabilities is in the black box coprocessor – the Management Engine – which has its own CPU and operating system that has complete machine control. It’s meant for letting network admins remotely log into servers and workstations to fix any problems (such as not being able to boot).

    The bugs – as security researchers discovered – allow for installing rootkits and spyware on machines that could steal or tamper with information. So, perhaps unsurprisingly, several vendors – including Lenovo – have been quick to patch the bugs.

    Denver, Colorado-based System76, meanwhile, has just banned the Management Engine outright.

  14. Tomi Engdahl says:

    System76 to Disable Intel ME on Laptops Due to Security Flaws

    Following the discovery of several potentially serious vulnerabilities in Intel’s Management Engine (ME), computer seller System76 announced its intention to disable the feature on its laptops with a future firmware update.

    In the past months, Intel and third party security researchers discovered a significant number of flaws in ME and Active Management Technology (AMT), which allow users to remotely manage devices. The security holes can be exploited to execute arbitrary code without being detected by the user or the operating system, bypass security features, and crash systems.

    Intel has released patches for these vulnerabilities and vendors such as Acer, Dell, Fujitsu, HPE, Lenovo, and Panasonic informed customers that they are also working on firmware updates that address the weaknesses.

    System76, which provides Linux-powered laptops, desktops and servers, has decided to address the risks introduced by Intel ME by disabling the feature altogether.

  15. Tomi Engdahl says:

    Another Defeat of the Intel Management Engine

    If you have a computer with an Intel processor that’s newer than about 2007, odds are high that it also contains a mystery software package known as the Intel Management Engine (ME). The ME has complete access to the computer below the operating system and can access a network, the computer’s memory, and many other parts of the computer even when the computer is powered down. If you’re thinking that this seems like an incredible security vulnerability then you’re not alone, and a team at Black Hat Europe 2017 has demonstrated yet another flaw in this black box (PDF), allowing arbitrary code execution and bypassing many of the known ME protections.

    [Mark Ermolov] and [Maxim Goryachy] are the two-man team that discovered this exploit, only the second of its kind in the 12 years that the ME has been deployed. Luckily, this exploit can’t be taken advantage of (yet) unless an attacker has physical access to the device. Intel’s firmware upgrades also do not solve the problem because the patches still allow for use of older versions of the ME.

  16. Tomi Engdahl says:

    Over the past 12 years,
    only one
    vulnerability allowing execution of
    arbitrary code
    on ME has been found!

    Now we have two of them!

    Potential attack vectors
    (ways to impact)

    Local communication interface (HECI)

    Network (vPro only)


    Host memory (UMA)

    Firmware SPI layout

    Internal file system


    Main interface for communication between host and

    Represented as PCI device

    Transports dozens of ME service protocols

    Undocumented; some protocol formats can be found in

    MEBx and BIOS use HECI to set up ME

    Used by Intel tools for updating and manufacture

  17. Tomi Engdahl says:

    An open and updated letter to Intel by Andrew S. Tanenbaum – Creator of MINIX. Minix is used by Intel ME as a spy engine. Why is Intel not listing to its customers? Why not release a patch/firmware updated that allows to disable Intel ME? Does Intel have some hidden agenda or agreement with the governments to keep spy engine running on my PC?

  18. Tomi Engdahl says:

    Also AMD has something somewhat similar management and vulnerability in it:

    Security hole in AMD CPUs’ hidden secure processor code revealed ahead of patches
    Googler drops bug bomb in public – but don’t panic

    Cfir Cohen, a security researcher from Google’s cloud security team, on Wednesday disclosed a vulnerability in the fTMP of AMD’s Platform Security Processor (PSP), which resides on its 64-bit x86 processors and provides administrative functions similar to the Management Engine in Intel chipsets.

    This sounds bad. It’s not as bad as you think.

    The fTMP is a firmware implementation of the Trusted Platform Module, a security-oriented microcontroller specification. Cohen said he reported the flaw to AMD in late September last year, and the biz apparently had a fix ready by December 7. Now that the 90-day disclosure window has passed seemingly without any action by AMD, details about the flaw have been made public.

    A firmware update emerged for some AMD chips in mid-December, with an option to at least partially disable the PSP. However, a spokesperson for the tech giant said on Friday this week that the above fTMP issue will be addressed in an update due out this month, January 2018.

    As AMD explains it, the PSP – referred to as AMD Secure Technology – monitors the security environment for the processor, managing the boot process, initializing security mechanisms, and checking for suspect activity.

    It includes an embedded ARM microcontroller, cryptographic coprocessor, local memory, registers, and interfaces, not to mention the Environment Management Control block that oversees processor security checking. It runs the Trustonic TEE (Trusted Execution Environment) as its security kernel. It can also access system RAM and IO.

    The flaw, identified through manual static analysis, involves a stack-based overflow in a function called EkCheckCurrentCert, which is called from another function TPM2_CreatePrimary with an endorsement key (EK) certificate stored in non-volatile storage.

    An AMD spokesperson told The Register that an attacker would first have to gain access to the motherboard and then modify SPI-Flash before the issue could be exploited. But given those conditions, the attacker would have access to the information protected by the TPM, such as cryptographic keys.

  19. Tomi Engdahl says:

    January 12, 2018 | Business Security

    Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
    Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

    Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

    The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

    To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

    Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

    Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk.

  20. Tomi Engdahl says:

    Siemens Releases BIOS Updates to Patch Intel Chip Flaws

    Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.

    Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.

    Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.


Leave a Comment

Your email address will not be published. Required fields are marked *