Intel AMT Firmware Vulnerability CVE-2017-5689

https://www.ssh.com/vulnerability/intel-amt/

This page by SSH collects information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689).
Your servers are in danger now through Intel AMT technology! 

AMT enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets. Essentially, AMT allows remote access to the system’s memory and disk over the network while the operating system is running. 

The exploit is trival, max five lines of Python, could be doable in one-line shell command. IT GIVES FULL CONTROL OF AFFECTED MACHINES, INCLUDING ABILITY TO READ AND MODIFY EVERYTHING.

DISABLE AMT TODAY! ASK QUESTIONS LATER. 

For data centers, if you can, FIREWALL THEM OFF. Block ports 16992, 16993, 16994, 16995, 623, 664 NOW.

See Embedi white paper on the Intel AMT Vulnerability Exploitation details

In essence, the web user interface uses HTTP digest authentication for the admin account. Send an empty digest response, and you are in. That simple. 

This is worse than giving everyone root access on every server whose AMT port they can communicate with. And to every virtual machine, container, and database running on those servers.

I wish the world would have been given a few weeks to fix this.

Expect exploits over the weekend. 


49 Comments

  1. Tomi Engdahl says:

    This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound.

    Reply
  2. Tomi Engdahl says:

    Intel Active Management Technology
    https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

    Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers,[1][2][3][4][5] in order to monitor, maintain, update, upgrade, and repair them.[1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.[1][2]

    Hardware-based management works at a different level from software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent.

    AMT is designed into a secondary (service) processor located on the motherboard,[8] and uses TLS-secured communication and strong encryption to provide additional security.[2] AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.

    Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.

    Reply
  3. Tomi Engdahl says:

    Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017

    Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
    Intel ID: INTEL-SA-00075
    https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

    There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

    For general guidance on this issue please see https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

    Reply
  4. Tomi Engdahl says:

    Important Security Information about Intel Manageability Firmware
    https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

    Update: Details of how to exploit this vulnerability are now public. It is important to take steps to secure vulnerable systems as soon as possible. See our mitigation guide or customer service details below.

    We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software. We expect computer-makers to make updates available beginning the week of May 8 and continuing thereafter.

    Until firmware updates are available, we urge people and companies using business PCs and devices that incorporate AMT, ISM or SBT to take the following steps to maintain the security of their systems and information:

    Identifying vulnerable systems

    On May 4, we released a downloadable discovery tool that will analyze your system for the vulnerability.

    IT professionals who are familiar with the configuration of their systems and networks can use this tool, or can see our security advisory for full details on vulnerability detection and mitigation.

    INTEL-SA-00075 Detection Guide
    https://downloadcenter.intel.com/download/26755

    Reply
  5. Tomi Engdahl says:

    Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
    Intel ID: INTEL-SA-00075
    https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

    Reply
  6. Tomi Engdahl says:

    INTEL-SA-00075 Mitigation Guide
    https://downloadcenter.intel.com/download/26754

    The procedural steps for implementing the
    mitigation are as follows:
    1 Unprovisioning Intel manageability SKU clients to mitigate unprivileged network attacker from gaining system privileges
    2. Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges
    3. Optionally configuring local manageability configuration restrictions

    Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability. For provision systems, unprovisioning must be performed prior to disabling or removing the LMS.

    When configured, Intel® AMT and ISM automatically listen for management traffic over your computer network.

    Process to disable LMS

    Run the following command from a command prompt with administrative rights:

    sc config LMS start=disabled

    Reply
  7. Tomi Engdahl says:

    Rediscovering the Intel AMT Vulnerability
    No PoC, No Patch, No Problem!
    https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

    On May 1, 2017 Intel disclosed the AMT vulnerability (INTEL-SA-00075), but details of that vulnerability were not made public. However, Tenable researchers were able to overcome this challenge and make Tenable the first to deliver Intel AMT vulnerability detection capabilities to customers, just minutes after Intel’s announcement yesterday. This is the story of how we did it.

    within minutes of the Intel deadline, Tenable was able to give customers a detection plugin (Nessus plugin 97999) to help them know exactly where they are exposed to the Intel AMT vulnerability so they can continue to confidently manage cyber risk to the business.

    Reply
  8. Tomi Engdahl says:

    How to remote hijack computers using Intel’s insecure chips: Just use an empty login string
    Exploit to pwn systems using vPro and AMT
    https://www.google.fi/amp/s/www.theregister.co.uk/AMP/2017/05/05/intel_amt_remote_exploit/

    You can remotely commandeer and control computers that use vulnerable Intel chipsets by sending them empty authentication strings.

    You read that right. When you’re expected to send a password hash, you send zero bytes. Nothing. Nada. And you’ll be rewarded with powerful low-level access to a vulnerable box’s hardware from across the network – or across the internet if the management interface faces the public web.

    Remember that the next time Intel, a $180bn international semiconductor giant, talks about how important it treats security.

    AMT is designed to allow IT admins to remotely log into the guts of computers so they can reboot a knackered machine, repair and tweak the operating system, install a new OS, access a virtual serial console, or gain full-blown remote desktop access via VNC. It is, essentially, god mode.

    Normally, AMT is password protected.
    This week it emerged this authentication can be bypassed

    Today we’ve learned it is trivial to exploit this flaw, allowing anyone to gain control of vulnerable systems without a password.

    AMT is accessed over the network via a bog-standard web interface: the service listens on ports 16992 and 16993. Visiting this with a browser brings up a prompt for a password

    Thanks go to Embedi, which reverse engineered the code [PDF] and also reported the flaw to Intel back in March.

    We recommend you use Intel’s utility to double check whether or not you are being silently menaced by this bug.

    Now we play the waiting game: Show us the fixes

    HP Inc
    Patches are due to arrive toward the end of this month and into June, depending on the product family.

    Lenovo

    The PC slinger has an extensive page here detailing which machines are affected, and when fixes are likely to land – mostly from May 24 onwards into June.

    Apple’s x86-powered Macs are not affected as they do not ship with Intel’s AMT software.

    Reply
  9. Tomi Engdahl says:

    How to remote hijack computers using Intel’s insecure chips: Just use an empty login string
    Exploit to pwn systems using vPro and AMT
    https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

    Reply
  10. Tomi Engdahl says:

    The Intel remote vulnerability is much, much worse than you thought
    https://www.privateinternetaccess.com/blog/2017/05/intel-remote-vulnerability-much-much-worse-thought/

    The Intel remote vulnerability which was recently disclosed has been discussed in more detail, and it’s much, much worse than you thought. It’s not just that the Intel servers are vulnerable to remote access. It’s that it’s trivial to invoke it, and that the access happens over the regular network line.

    A few days ago, Intel issued an advisory that all its systems less than ten years old were vulnerable to remote takeover by read and write; somebody could use sidestep the installed operating system, invoke the hardware management circuits, and access a server memory. In terms of badness, this is “really really bad”

    In order to get administrator privileges to the server memory, all you needed to do was to submit a blank password field instead of the expected privileged-access password hash, and you would have unlimited and unlogged access to the entire server memory.

    It would appear that the fault stems from being overprotective against buffer overrun vulnerabilities (limiting the password check to the length of the provided input) but getting the logic catastrophically wrong in the process.

    It’s hard to overstate how catastrophic this is. I want to underscore, again, that this is independent of the operating system and independent of whatever you’re running on the machine.

    the vulnerable management system works on your ordinary wired LAN, essentially hijacking a couple of ports for its own purposes from your normal traffic

    Let’s take that again: a blank password to an always-open port sidesteps every single bit of authentication and security that is otherwise present.

    If you have a firewall on an Intel box, that firewall is compromised through its exposure to the outside world (which it is supposed to protect from).

    If you are running anything virtualized on an unfixed Intel box, then the memory of all of those machines, as well as their virtual hardware, are accessible

    According to Intel, this management system operates on ports 623, 664, 5900 (VNC), and 16992-16995. If your server is answering on any of those ports – and you should check your firewall too – then you should act very quickly on this, now that details of the exploit are in the wild.

    Your security remains your own responsibility

    Reply
  11. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Intel remote management flaw more severe than first thought, allows hijacking using any authentication string; Intel expects patches to arrive in coming week

    The hijacking flaw that lurked in Intel chips is worse than anyone thought
    Patch for severe authentication bypass bug won’t be available until next week.
    https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/

    A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

    Reply
  12. Tomi Engdahl says:

    Why Must Intel AMT Be Configured, and What is Required?
    https://www.symantec.com/connect/articles/why-must-intel-amt-be-configured-and-what-required

    Communications to Intel AMT commonly occur on the same IP address, specifically when the system is using DHCP issued IPv4 addresses. Traffic on ports 16992-16995 are directly intercepted by Intel AMT within the chipset before being passed to the host operating system… once Intel AMT is in a configured and accessible state.

    If a firewall is running on the target client, in a wired mode the Intel AMT traffic occurs below the operating system and the firewall. If the host operating system is not available, Intel AMT will continue to operate so long as power is attached and a network connection is present.

    Reply
  13. Tomi Engdahl says:

    Discovery of the vulnerability is attributed to Embedi researcher Maks Malyutin. The vulnerability is said to have been discovered in mid-February, and reported to Intel on March 3. Intel published its advisory about it on May 1, 2017.

    However, Internet scans for for ports 16992 and 16993 associated with AMT started skyrocketing already in March and April.

    Semiaccurate has published an excellent article about the details, impacts, and history of this vulnerability. The author, Charlie Demerjian, claims to have known of the vulnerability for over five years and having discussed it with dozens of Intel representatives but been unable to publish it.

    Source: https://www.ssh.com/vulnerability/intel-amt/

    Remote security exploit in all 2008+ Intel platforms
    Updated 2x: Nehalem through Kaby all remotely and locally hackable
    https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

    Reply
  14. Tomi Engdahl says:

    Vulnerability or Backdoor

    One is left wondering if Intel only released the vulnerability now because it had leaked and port scans for it had escalated in a way that forced its hand. This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound. In any case, if it is true that Intel has known of the vulnerability for years, then it can only be considered an intentional backdoor.

    This is exactly the kind of vulnerability one could imagine intelligence agencies trying to push vendors to leave in their code. In any case, we may see immeasurable damanage as malware starts utilizing this on a large scale on internal networks.

    mpact

    The AMT ports are usually not visible to the public Interne. One researcher was quoted saying there are “only” 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.

    Source: https://www.ssh.com/vulnerability/intel-amt/

    Reply
  15. Tomi Engdahl says:

    Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)
    https://mattermedia.com/blog/disabling-intel-amt/

    Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of the Intel Management Engine firmware.

    Reply
  16. Tomi Engdahl says:

    “Trust Us”

    From Slashdot, June 17, 2016:

    An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise

    https://yro.slashdot.org/story/16/06/17/1941228/is-the-secret-chip-in-intel-cpus-really-that-dangerous?sdsrc=rel

    Reply
  17. Tomi Engdahl says:

    Haavoittuvuus Intelin AMT-/vPro-etähallintajärjestelmää tukevissa tietokoneissa
    https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-080.html

    Reply
  18. Tomi Engdahl says:

    Intel patches remote hijacking vulnerability that lurked in chips for 7 years
    Flaw in remote management feature gives attackers a way to breach networks.
    https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/

    Reply
  19. Tomi Engdahl says:

    Master of Science Thesis
    Stockholm, Sweden 2010
    TRITA-ICT-EX-2010:37
    VASSILIOS VERVERIS
    Security Evaluation of Intel’s Active
    Management Technology
    https://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf

    Reply
  20. Tomi Engdahl says:

    Intel Finally Patches Critical AMT Bug (Kinda)
    https://www.darknet.org.uk/2017/05/intel-finally-patches-critical-amt-bug-kinda/

    Intel finally patches the critical AMT bug discovered in March by security researcher Maksim Malyutin at Embedi, I say ‘kinda’ because it’s not really up to Intel to deploy the fix to the problem. They can’t really push out updates to CPUs, but at least they have fixed it in the firmware and now the vendors have to supply the signed patches.

    This is the scary thing though when hardware manufacturers (without any easy way to patch or address security flaws) deploy completely out-of-band management systems that are TCP/IP enabled and almost definitely have security flaws.

    Perhaps we should just stick to consumer hardware..or not use Intel.

    Reply
  21. Tomi Engdahl says:

    INTEL-SA-00075 Detection Guide
    https://downloadcenter.intel.com/download/26755

    The INTEL-SA-00075 Detection Guide will step you through multiple processes to detect INTEL-SA-00075. For more information, read the Public Security Advisory.

    The INTEL-SA-00075 Discovery Tool can be used by local users or an IT administrator to determine whether a system is vulnerable to the exploit documented in Intel Security Advisory INTEL-SA-00075. It is offered in two versions. The first is an interactive GUI tool that, when run, discovers the hardware and software details of the device and provides indication of risk assessment. This version is recommended when local evaluation of the system is desired. The second version of the Discovery Tool is a console executable that saves the discovery information to the Windows* registry and/or to an XML file. This version is more convenient for IT administrators wishing to perform bulk discovery across multiple machines to find systems to target for firmware updates or to implement mitigations.

    https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

    Reply
  22. Tomi Engdahl says:

    HPSBHF03557 rev. 1 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation
    https://support.hp.com/us-en/document/c05507350

    HP is working closely with Intel to test, validate and implement Intel’s firmware update and assist our customers in mitigation of potential risks based on a newly reported Intel vulnerability.

    Please visit the following page for the most up-to-date information regarding mitigation and resolution:
    http://www.hp.com/go/intelmanageabilityissue

    Reply
  23. Tomi Engdahl says:

    The hijacking flaw that lurked in Intel chips is worse than anyone thought
    Patch for severe authentication bypass bug won’t be available until next week.
    https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/

    a normal browser would never send an empty response, even when you enter an empty password. It would always send a 32 hex digit MD5 hash looking like this:

    response=”6629fae49393a05397450978507c4ef1″

    The server would then compute the same hash, and compare them. If they are equal, it allows login, if they are different it denies login.

    The bug was in the code to compare the two strings. It used the strncmp function that compares the first N characters of two strings:

    strncmp(string1, string2, N)

    And applied it to the computed hash and the hash response received from the browser, with N set to the length of the response received from the browser, so something like:

    strncmp(computed_hash, response, strlen(response))

    This would work just fine for hashes sent by the browser, which are always 32 characters in length.

    So anyone testing this from a browser would find it works perfectly.

    The problem is what happens if you don’t use a browser, but you generate an invalid request manually or using a proxy to alter the response, sending an empty string instead of the 32 character hash.

    This means the function will compare the first 0 characters between the two strings.

    Of course, two 0 length strings are equal, so it wrongfully concludes the hashes are equal.

    Reply
  24. Tomi Engdahl says:

    In a blog post published Friday, Intel officials said they expect PC makers to release a patch next week. The releases will update Intel firmware, meaning patching will require that each vulnerable chip set is reflashed. In the meantime, Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers. Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied. Computer makers Fujitsu, HP, and Lenovo, have also issued advisories for specific models they sell.

    Important Security Information about Intel Manageability Firmware
    https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

    Reply
  25. Tomi Engdahl says:

    [Update, 5:40pm EDT] A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:

    Source: https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/

    Reply
  26. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Flaw in Intel chipsets’ remote management allows hijacking using any authentication string; HP, Lenovo, others issue advisories; Intel expects patches next week — Patch for severe authentication bypass bug won’t be available until next week. — A remote hijacking flaw that lurked …

    The hijacking flaw that lurked in Intel chips is worse than anyone thought
    Patch for severe authentication bypass bug won’t be available until next week.
    https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/

    Reply
  27. Tomi Engdahl says:

    Intel ID: INTEL-SA-00075
    Product family: Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
    https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

    There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

    There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.

    An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
    CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
    CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Reply
  28. Tomi Engdahl says:

    Intel chip vulnerability sends corporate cyber teams scrambling
    https://www.cyberscoop.com/patch-terrifying-intel-chip-vulnerability-amt/

    orporate IT departments across the globe were scrambling Tuesday to figure out if their networks were hit by a vulnerability in Intel processors that opened the chips up to hackers.

    Intel announced the existence of vulnerability CVE-2017-5689 in its Active Management Technology, or AMT, firmware on Monday, saying it had not been exploited in the wild.

    “An unprivileged network attacker could gain system privileges,” by remotely exploiting the vulnerability, the company said, revealing that it impacted chips shipped since 2008, but not ones used in consumer personal computers.

    “Yes, this is terrifying,” wrote security researcher Matthew Garrett on his blog.

    Reply
  29. Tomi Engdahl says:

    Intel’s remote AMT vulnerablity
    http://mjg59.dreamwidth.org/48429.html

    Active Management Technology
    AMT is intended to provide IT departments with a means to manage client systems. When AMT is enabled, any packets sent to the machine’s wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT – the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console. Access to AMT requires a password – the implication of this vulnerability is that that password can be bypassed.
    Remote management
    AMT has two types of remote console: emulated serial and full graphical. The emulated serial console requires only that the operating system run a console on that serial port, while the graphical environment requires drivers on the OS side requires that the OS set a compatible video mode but is also otherwise OS-independent[2].

    How bad is this
    That depends. Unless you’ve explicitly enabled AMT at any point, you’re probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don’t have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though…
    How do I know if I have it enabled?
    Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:

    1) A supported CPU
    2) A supported chipset
    3) Supported network hardware
    4) The ME firmware to contain the AMT firmware

    How about over Wifi?
    Turning on AMT doesn’t automatically turn it on for wifi. AMT will also only connect itself to networks it’s been explicitly told about. Where things get more confusing is that once the OS is running, responsibility for wifi is switched from the ME to the OS and it forwards packets to AMT. I haven’t been able to find good documentation on whether having AMT enabled for wifi results in the OS forwarding packets to AMT on all wifi networks or only ones that are explicitly configured.

    What should I do?
    Make sure AMT is disabled. If it’s your own computer, you should then have nothing else to worry about. If you’re a Windows admin with untrusted users, you should also disable or uninstall LMS by following these instructions.

    Reply
  30. Tomi Engdahl says:

    Does this mean every Intel system built since 2008 can be taken over by hackers?
    No. Most Intel systems don’t ship with AMT. Most Intel systems with AMT don’t have it turned on.

    Reply
  31. Tomi Engdahl says:

    An authentication bypass vulnerability, which will be later known as
    CVE-2017-5689, was originally discovered in mid-February of 2017

    Source: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

    Reply
  32. Tomi Engdahl says:

    Use configuration baseline disable windows service
    http://www.thesccm.com/use-configuration-baseline-disable-windows-service/

    In Intel Mitigation Guide https://downloadcenter.intel.com/download/26754 , it mentions about disable LMS service, so here is a sample how to use SCCM compliance settings disable LMS service.

    Reply
  33. Tomi Engdahl says:

    Exploitable Details of Intel’s ‘Apocalyptic’ AMT Firmware Vulnerability Disclosed
    http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed

    Details of the Intel AMT firmware vulnerability announced on May 1, 2017 are now public knowledge; and the suggestion that ‘this is somewhere between nightmarish and apocalyptic’ has been proven correct.

    One day after Intel’s alert, Embedi (the firm that discovered the vulnerability back in February this year) published a brief note. One particular sentence stood out to researchers at Tenable: “With 100 percent certainty it is not an RCE but rather a logical vulnerability.”

    This persuaded Tenable to look at ‘authentication’ as the possible basis for a logical flaw that allows remote access. Within one day it discovered the flaw by trial and error — and experience.

    “Drawing on past experience,” explains Carlos Perez, Tenable’s director of reverse engineering in a blog post last Friday, “when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded!”

    Further tests showed that a NULL/empty response hash (response=”” in the HTTP Authorization header) still worked. “We had discovered a complete bypass of the authentication scheme.”

    Reply
  34. Tomi Engdahl says:

    IMPACT

    The AMT ports are usually not visible to the public Interne. One researcher was quoted saying there are “only” 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.

    Source: https://www.ssh.com/vulnerability/intel-amt/

    Reply
  35. Tomi Engdahl says:

    Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)
    https://mattermedia.com/blog/disabling-intel-amt/

    Reply
  36. Tomi Engdahl says:

    SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security
    http://caslab.csl.yale.edu/workshops/hasp2016/HASP16-09_slides.pdf

    Reply
  37. Tomi Engdahl says:

    Intel’s Management Engine is a security hazard, and users need a way to disable it
    https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

    Intel’s CPUs have another Intel inside.

    Since 2008, most of Intel’s chipsets have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

    Reply
  38. Tomi Engdahl says:

    Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls
    https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

    Microsoft’s security team has come across a malware family that uses Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

    Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer’s networking stack, so local firewalls or security products won’t be able to detect or block the malware while it’s exfiltrating data from infected hosts.

    Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

    Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers

    Reply
  39. Tomi Engdahl says:

    Intel AMT bug bit Siemens industrial PCs
    Patches issued for 38 products, plus bonus Web portal bug-fix
    https://www.theregister.co.uk/2017/07/03/intel_amt_bug_bit_siemens_industrial_pcs/

    You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week.

    The bug in Intel’s Active Management Technology emerged in June. It allowed a user to exploit AMT features with an empty login string, and has been shipping in processors since 2010.

    In Siemens’s case, 38 product series use vulnerable Intel chipsets (the company lists them in this PDF). They include SIMATIC industrial PCs, SINUMERIK control panels and SIMOTION P320 PCs.

    The company has shipped patches for the SIMATIC PCs, but is still working on the control panel products.

    https://support.industry.siemens.com/cs/document/109747626/updating-the-intel-management-engine-bios-extension-for-simatic-ipcs-and-simatic-field-pgs?dti=0&lc=en-WW

    Reply
  40. Tomi Engdahl says:

    Intel ME controller chip has secret kill switch
    Researchers find undocumented accommodation for government customers
    https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/

    Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

    Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

    If compromised, it becomes a backdoor, giving an attacker control over the affected device.

    That possibility set off alarms in May, with the disclosure of a vulnerability in Intel’s Active Management Technology, a firmware application that runs on the Intel ME.

    The revelation prompted calls for a way to disable the poorly understood hardware. At the time, the Electronic Frontier Foundation called it a security hazard. The tech advocacy group demanded a way to disable “the undocumented master controller inside our Intel chips” and details about how the technology works.

    An unofficial workaround called ME Cleaner can partially hobble the technology, but cannot fully eliminate it.

    On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.

    HAP stands for high assurance platform. It’s an IT security framework developed by the US National Security Agency

    Disabling Intel ME 11 via undocumented mode
    http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*