https://www.ssh.com/vulnerability/intel-amt/
This page by SSH collects information, fixes, and analyses of the Intel AMT Firmare remote code execution vulnerability of May 1, 2017 (CVE-2017-5689).
Your servers are in danger now through Intel AMT technology!
AMT enables remote management of the servers, including remote operating system installation. It is included in all modern Intel Xeon processors and associated chipsets. Essentially, AMT allows remote access to the system’s memory and disk over the network while the operating system is running.
The exploit is trival, max five lines of Python, could be doable in one-line shell command. IT GIVES FULL CONTROL OF AFFECTED MACHINES, INCLUDING ABILITY TO READ AND MODIFY EVERYTHING.
DISABLE AMT TODAY! ASK QUESTIONS LATER.
For data centers, if you can, FIREWALL THEM OFF. Block ports 16992, 16993, 16994, 16995, 623, 664 NOW.
See Embedi white paper on the Intel AMT Vulnerability Exploitation details
In essence, the web user interface uses HTTP digest authentication for the admin
account. Send an empty digest response, and you are in. That simple.
This is worse than giving everyone root access on every server whose AMT port they can communicate with. And to every virtual machine, container, and database running on those servers.
I wish the world would have been given a few weeks to fix this.
Expect exploits over the weekend.
72 Comments
Tomi Engdahl says:
This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound.
Tomi Engdahl says:
INTEL-SA-00075 Detection Guide
https://downloadcenter.intel.com/download/26755
Tomi Engdahl says:
Intel Active Management Technology
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers,[1][2][3][4][5] in order to monitor, maintain, update, upgrade, and repair them.[1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.[1][2]
Hardware-based management works at a different level from software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent.
AMT is designed into a secondary (service) processor located on the motherboard,[8] and uses TLS-secured communication and strong encryption to provide additional security.[2] AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology.
Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon processor E3-1200 product family.
Tomi Engdahl says:
Intel has confirmed a Remote Elevation of Privilege bug (CVE-2017-5689) in its Management Technology, on 1 May 2017
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
Intel ID: INTEL-SA-00075
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.
For general guidance on this issue please see https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/
Tomi Engdahl says:
Important Security Information about Intel Manageability Firmware
https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/
Update: Details of how to exploit this vulnerability are now public. It is important to take steps to secure vulnerable systems as soon as possible. See our mitigation guide or customer service details below.
We have implemented and validated a firmware update to address the problem and we are collaborating with computer-makers to facilitate a rapid and smooth integration with their software. We expect computer-makers to make updates available beginning the week of May 8 and continuing thereafter.
Until firmware updates are available, we urge people and companies using business PCs and devices that incorporate AMT, ISM or SBT to take the following steps to maintain the security of their systems and information:
Identifying vulnerable systems
On May 4, we released a downloadable discovery tool that will analyze your system for the vulnerability.
IT professionals who are familiar with the configuration of their systems and networks can use this tool, or can see our security advisory for full details on vulnerability detection and mitigation.
INTEL-SA-00075 Detection Guide
https://downloadcenter.intel.com/download/26755
Tomi Engdahl says:
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
Intel ID: INTEL-SA-00075
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Tomi Engdahl says:
INTEL-SA-00075 Mitigation Guide
https://downloadcenter.intel.com/download/26754
The procedural steps for implementing the
mitigation are as follows:
1 Unprovisioning Intel manageability SKU clients to mitigate unprivileged network attacker from gaining system privileges
2. Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges
3. Optionally configuring local manageability configuration restrictions
Intel highly recommends that the first step in all mitigation paths is to unprovision the Intel manageability SKU to address the network privilege escalation vulnerability. For provision systems, unprovisioning must be performed prior to disabling or removing the LMS.
When configured, Intel® AMT and ISM automatically listen for management traffic over your computer network.
Process to disable LMS
Run the following command from a command prompt with administrative rights:
sc config LMS start=disabled
Tomi Engdahl says:
Rediscovering the Intel AMT Vulnerability
No PoC, No Patch, No Problem!
https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
On May 1, 2017 Intel disclosed the AMT vulnerability (INTEL-SA-00075), but details of that vulnerability were not made public. However, Tenable researchers were able to overcome this challenge and make Tenable the first to deliver Intel AMT vulnerability detection capabilities to customers, just minutes after Intel’s announcement yesterday. This is the story of how we did it.
within minutes of the Intel deadline, Tenable was able to give customers a detection plugin (Nessus plugin 97999) to help them know exactly where they are exposed to the Intel AMT vulnerability so they can continue to confidently manage cyber risk to the business.
Tomi Engdahl says:
How to remote hijack computers using Intel’s insecure chips: Just use an empty login string
Exploit to pwn systems using vPro and AMT
https://www.google.fi/amp/s/www.theregister.co.uk/AMP/2017/05/05/intel_amt_remote_exploit/
You can remotely commandeer and control computers that use vulnerable Intel chipsets by sending them empty authentication strings.
You read that right. When you’re expected to send a password hash, you send zero bytes. Nothing. Nada. And you’ll be rewarded with powerful low-level access to a vulnerable box’s hardware from across the network – or across the internet if the management interface faces the public web.
Remember that the next time Intel, a $180bn international semiconductor giant, talks about how important it treats security.
AMT is designed to allow IT admins to remotely log into the guts of computers so they can reboot a knackered machine, repair and tweak the operating system, install a new OS, access a virtual serial console, or gain full-blown remote desktop access via VNC. It is, essentially, god mode.
Normally, AMT is password protected.
This week it emerged this authentication can be bypassed
Today we’ve learned it is trivial to exploit this flaw, allowing anyone to gain control of vulnerable systems without a password.
AMT is accessed over the network via a bog-standard web interface: the service listens on ports 16992 and 16993. Visiting this with a browser brings up a prompt for a password
Thanks go to Embedi, which reverse engineered the code [PDF] and also reported the flaw to Intel back in March.
We recommend you use Intel’s utility to double check whether or not you are being silently menaced by this bug.
Now we play the waiting game: Show us the fixes
HP Inc
Patches are due to arrive toward the end of this month and into June, depending on the product family.
Lenovo
The PC slinger has an extensive page here detailing which machines are affected, and when fixes are likely to land – mostly from May 24 onwards into June.
Apple’s x86-powered Macs are not affected as they do not ship with Intel’s AMT software.
Tomi Engdahl says:
How to remote hijack computers using Intel’s insecure chips: Just use an empty login string
Exploit to pwn systems using vPro and AMT
https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/
Tomi Engdahl says:
INTEL AMT VULNERABILITY TRACKING PAGE
https://www.ssh.com/vulnerability/intel-amt/
Tomi Engdahl says:
http://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/
Tomi Engdahl says:
The Intel remote vulnerability is much, much worse than you thought
https://www.privateinternetaccess.com/blog/2017/05/intel-remote-vulnerability-much-much-worse-thought/
The Intel remote vulnerability which was recently disclosed has been discussed in more detail, and it’s much, much worse than you thought. It’s not just that the Intel servers are vulnerable to remote access. It’s that it’s trivial to invoke it, and that the access happens over the regular network line.
A few days ago, Intel issued an advisory that all its systems less than ten years old were vulnerable to remote takeover by read and write; somebody could use sidestep the installed operating system, invoke the hardware management circuits, and access a server memory. In terms of badness, this is “really really bad”
In order to get administrator privileges to the server memory, all you needed to do was to submit a blank password field instead of the expected privileged-access password hash, and you would have unlimited and unlogged access to the entire server memory.
It would appear that the fault stems from being overprotective against buffer overrun vulnerabilities (limiting the password check to the length of the provided input) but getting the logic catastrophically wrong in the process.
It’s hard to overstate how catastrophic this is. I want to underscore, again, that this is independent of the operating system and independent of whatever you’re running on the machine.
the vulnerable management system works on your ordinary wired LAN, essentially hijacking a couple of ports for its own purposes from your normal traffic
Let’s take that again: a blank password to an always-open port sidesteps every single bit of authentication and security that is otherwise present.
If you have a firewall on an Intel box, that firewall is compromised through its exposure to the outside world (which it is supposed to protect from).
If you are running anything virtualized on an unfixed Intel box, then the memory of all of those machines, as well as their virtual hardware, are accessible
According to Intel, this management system operates on ports 623, 664, 5900 (VNC), and 16992-16995. If your server is answering on any of those ports – and you should check your firewall too – then you should act very quickly on this, now that details of the exploit are in the wild.
Your security remains your own responsibility
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Intel remote management flaw more severe than first thought, allows hijacking using any authentication string; Intel expects patches to arrive in coming week
The hijacking flaw that lurked in Intel chips is worse than anyone thought
Patch for severe authentication bypass bug won’t be available until next week.
https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.
Tomi Engdahl says:
Why Must Intel AMT Be Configured, and What is Required?
https://www.symantec.com/connect/articles/why-must-intel-amt-be-configured-and-what-required
Communications to Intel AMT commonly occur on the same IP address, specifically when the system is using DHCP issued IPv4 addresses. Traffic on ports 16992-16995 are directly intercepted by Intel AMT within the chipset before being passed to the host operating system… once Intel AMT is in a configured and accessible state.
If a firewall is running on the target client, in a wired mode the Intel AMT traffic occurs below the operating system and the firewall. If the host operating system is not available, Intel AMT will continue to operate so long as power is attached and a network connection is present.
Tomi Engdahl says:
Discovery of the vulnerability is attributed to Embedi researcher Maks Malyutin. The vulnerability is said to have been discovered in mid-February, and reported to Intel on March 3. Intel published its advisory about it on May 1, 2017.
However, Internet scans for for ports 16992 and 16993 associated with AMT started skyrocketing already in March and April.
Semiaccurate has published an excellent article about the details, impacts, and history of this vulnerability. The author, Charlie Demerjian, claims to have known of the vulnerability for over five years and having discussed it with dozens of Intel representatives but been unable to publish it.
Source: https://www.ssh.com/vulnerability/intel-amt/
Remote security exploit in all 2008+ Intel platforms
Updated 2x: Nehalem through Kaby all remotely and locally hackable
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
Tomi Engdahl says:
Vulnerability or Backdoor
One is left wondering if Intel only released the vulnerability now because it had leaked and port scans for it had escalated in a way that forced its hand. This kind of vulnerability is extremely valuable for intelligence and cyberwarfare operations, and various conspiracy theories abound. In any case, if it is true that Intel has known of the vulnerability for years, then it can only be considered an intentional backdoor.
This is exactly the kind of vulnerability one could imagine intelligence agencies trying to push vendors to leave in their code. In any case, we may see immeasurable damanage as malware starts utilizing this on a large scale on internal networks.
mpact
The AMT ports are usually not visible to the public Interne. One researcher was quoted saying there are “only” 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.
Source: https://www.ssh.com/vulnerability/intel-amt/
Tomi Engdahl says:
Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)
https://mattermedia.com/blog/disabling-intel-amt/
Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of the Intel Management Engine firmware.
Tomi Engdahl says:
“Trust Us”
From Slashdot, June 17, 2016:
An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise
https://yro.slashdot.org/story/16/06/17/1941228/is-the-secret-chip-in-intel-cpus-really-that-dangerous?sdsrc=rel
Tomi Engdahl says:
Haavoittuvuus Intelin AMT-/vPro-etähallintajärjestelmää tukevissa tietokoneissa
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-080.html
Tomi Engdahl says:
Haavoittuvuus Intelin etähallintajärjestelmiä tukevissa tietokoneissa
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2017/haavoittuvuus-2017-016.html
Tomi Engdahl says:
Intel patches remote hijacking vulnerability that lurked in chips for 7 years
Flaw in remote management feature gives attackers a way to breach networks.
https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/
Tomi Engdahl says:
Master of Science Thesis
Stockholm, Sweden 2010
TRITA-ICT-EX-2010:37
VASSILIOS VERVERIS
Security Evaluation of Intel’s Active
Management Technology
https://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf
Tomi Engdahl says:
Intel Finally Patches Critical AMT Bug (Kinda)
https://www.darknet.org.uk/2017/05/intel-finally-patches-critical-amt-bug-kinda/
Intel finally patches the critical AMT bug discovered in March by security researcher Maksim Malyutin at Embedi, I say ‘kinda’ because it’s not really up to Intel to deploy the fix to the problem. They can’t really push out updates to CPUs, but at least they have fixed it in the firmware and now the vendors have to supply the signed patches.
This is the scary thing though when hardware manufacturers (without any easy way to patch or address security flaws) deploy completely out-of-band management systems that are TCP/IP enabled and almost definitely have security flaws.
Perhaps we should just stick to consumer hardware..or not use Intel.
Tomi Engdahl says:
Intel Firmware Vulnerability
https://www.us-cert.gov/ncas/current-activity/2017/05/01/Intel-Firmware-Vulnerability
Tomi Engdahl says:
https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
Tomi Engdahl says:
intel amt honeypot
https://github.com/travisbgreen/intel_amt_honeypot
Tomi Engdahl says:
Vakava Intel-haavoittuvuus sai tietokonevalmistajat liikkeelle – tarkista koneesi tällä työkalulla
http://www.tivi.fi/Kaikki_uutiset/vakava-intel-haavoittuvuus-sai-tietokonevalmistajat-liikkeelle-tarkista-koneesi-talla-tyokalulla-6647189
Tomi Engdahl says:
INTEL-SA-00075 Detection Guide
https://downloadcenter.intel.com/download/26755
The INTEL-SA-00075 Detection Guide will step you through multiple processes to detect INTEL-SA-00075. For more information, read the Public Security Advisory.
The INTEL-SA-00075 Discovery Tool can be used by local users or an IT administrator to determine whether a system is vulnerable to the exploit documented in Intel Security Advisory INTEL-SA-00075. It is offered in two versions. The first is an interactive GUI tool that, when run, discovers the hardware and software details of the device and provides indication of risk assessment. This version is recommended when local evaluation of the system is desired. The second version of the Discovery Tool is a console executable that saves the discovery information to the Windows* registry and/or to an XML file. This version is more convenient for IT administrators wishing to perform bulk discovery across multiple machines to find systems to target for firmware updates or to implement mitigations.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Tomi Engdahl says:
HPSBHF03557 rev. 1 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Remote Privilege Escalation
https://support.hp.com/us-en/document/c05507350
HP is working closely with Intel to test, validate and implement Intel’s firmware update and assist our customers in mitigation of potential risks based on a newly reported Intel vulnerability.
Please visit the following page for the most up-to-date information regarding mitigation and resolution:
http://www.hp.com/go/intelmanageabilityissue
Tomi Engdahl says:
The hijacking flaw that lurked in Intel chips is worse than anyone thought
Patch for severe authentication bypass bug won’t be available until next week.
https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
a normal browser would never send an empty response, even when you enter an empty password. It would always send a 32 hex digit MD5 hash looking like this:
response=”6629fae49393a05397450978507c4ef1″
The server would then compute the same hash, and compare them. If they are equal, it allows login, if they are different it denies login.
The bug was in the code to compare the two strings. It used the strncmp function that compares the first N characters of two strings:
strncmp(string1, string2, N)
And applied it to the computed hash and the hash response received from the browser, with N set to the length of the response received from the browser, so something like:
strncmp(computed_hash, response, strlen(response))
This would work just fine for hashes sent by the browser, which are always 32 characters in length.
So anyone testing this from a browser would find it works perfectly.
The problem is what happens if you don’t use a browser, but you generate an invalid request manually or using a proxy to alter the response, sending an empty string instead of the 32 character hash.
This means the function will compare the first 0 characters between the two strings.
Of course, two 0 length strings are equal, so it wrongfully concludes the hashes are equal.
Tomi Engdahl says:
In a blog post published Friday, Intel officials said they expect PC makers to release a patch next week. The releases will update Intel firmware, meaning patching will require that each vulnerable chip set is reflashed. In the meantime, Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers. Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied. Computer makers Fujitsu, HP, and Lenovo, have also issued advisories for specific models they sell.
Important Security Information about Intel Manageability Firmware
https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/
Tomi Engdahl says:
[Update, 5:40pm EDT] A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:
Source: https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Flaw in Intel chipsets’ remote management allows hijacking using any authentication string; HP, Lenovo, others issue advisories; Intel expects patches next week — Patch for severe authentication bypass bug won’t be available until next week. — A remote hijacking flaw that lurked …
The hijacking flaw that lurked in Intel chips is worse than anyone thought
Patch for severe authentication bypass bug won’t be available until next week.
https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
Tomi Engdahl says:
Intel ID: INTEL-SA-00075
Product family: Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Tomi Engdahl says:
Impacted Intel desktop boards
https://communities.intel.com/thread/114071
Tomi Engdahl says:
Intel chip vulnerability sends corporate cyber teams scrambling
https://www.cyberscoop.com/patch-terrifying-intel-chip-vulnerability-amt/
orporate IT departments across the globe were scrambling Tuesday to figure out if their networks were hit by a vulnerability in Intel processors that opened the chips up to hackers.
Intel announced the existence of vulnerability CVE-2017-5689 in its Active Management Technology, or AMT, firmware on Monday, saying it had not been exploited in the wild.
“An unprivileged network attacker could gain system privileges,” by remotely exploiting the vulnerability, the company said, revealing that it impacted chips shipped since 2008, but not ones used in consumer personal computers.
“Yes, this is terrifying,” wrote security researcher Matthew Garrett on his blog.
Tomi Engdahl says:
Intel’s remote AMT vulnerablity
http://mjg59.dreamwidth.org/48429.html
Active Management Technology
AMT is intended to provide IT departments with a means to manage client systems. When AMT is enabled, any packets sent to the machine’s wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT – the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console. Access to AMT requires a password – the implication of this vulnerability is that that password can be bypassed.
Remote management
AMT has two types of remote console: emulated serial and full graphical. The emulated serial console requires only that the operating system run a console on that serial port, while the graphical environment requires drivers on the OS side requires that the OS set a compatible video mode but is also otherwise OS-independent[2].
How bad is this
That depends. Unless you’ve explicitly enabled AMT at any point, you’re probably fine. The drivers that allow local users to provision the system would require administrative rights to install, so as long as you don’t have them installed then the only local users who can do anything are the ones who are admins anyway. If you do have it enabled, though…
How do I know if I have it enabled?
Yeah this is way more annoying than it should be. First of all, does your system even support AMT? AMT requires a few things:
1) A supported CPU
2) A supported chipset
3) Supported network hardware
4) The ME firmware to contain the AMT firmware
How about over Wifi?
Turning on AMT doesn’t automatically turn it on for wifi. AMT will also only connect itself to networks it’s been explicitly told about. Where things get more confusing is that once the OS is running, responsibility for wifi is switched from the ME to the OS and it forwards packets to AMT. I haven’t been able to find good documentation on whether having AMT enabled for wifi results in the OS forwarding packets to AMT on all wifi networks or only ones that are explicitly configured.
What should I do?
Make sure AMT is disabled. If it’s your own computer, you should then have nothing else to worry about. If you’re a Windows admin with untrusted users, you should also disable or uninstall LMS by following these instructions.
Tomi Engdahl says:
Does this mean every Intel system built since 2008 can be taken over by hackers?
No. Most Intel systems don’t ship with AMT. Most Intel systems with AMT don’t have it turned on.
Tomi Engdahl says:
An authentication bypass vulnerability, which will be later known as
CVE-2017-5689, was originally discovered in mid-February of 2017
Source: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
Tomi Engdahl says:
Use configuration baseline disable windows service
http://www.thesccm.com/use-configuration-baseline-disable-windows-service/
In Intel Mitigation Guide https://downloadcenter.intel.com/download/26754 , it mentions about disable LMS service, so here is a sample how to use SCCM compliance settings disable LMS service.
Tomi Engdahl says:
Exploitable Details of Intel’s ‘Apocalyptic’ AMT Firmware Vulnerability Disclosed
http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed
Details of the Intel AMT firmware vulnerability announced on May 1, 2017 are now public knowledge; and the suggestion that ‘this is somewhere between nightmarish and apocalyptic’ has been proven correct.
One day after Intel’s alert, Embedi (the firm that discovered the vulnerability back in February this year) published a brief note. One particular sentence stood out to researchers at Tenable: “With 100 percent certainty it is not an RCE but rather a logical vulnerability.”
This persuaded Tenable to look at ‘authentication’ as the possible basis for a logical flaw that allows remote access. Within one day it discovered the flaw by trial and error — and experience.
“Drawing on past experience,” explains Carlos Perez, Tenable’s director of reverse engineering in a blog post last Friday, “when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded!”
Further tests showed that a NULL/empty response hash (response=”” in the HTTP Authorization header) still worked. “We had discovered a complete bypass of the authentication scheme.”
Tomi Engdahl says:
IMPACT
The AMT ports are usually not visible to the public Interne. One researcher was quoted saying there are “only” 7000 servers on the public Internet that this affects. However, the security impact on internal networks and with respect to insider threats and malware is massive. The most critical business processes and most critical data in organizations runs on servers affected by this. This compromises both the confidentiality and integrity of the data as well as software (including operating systems, privileged processes, and encryption software) on the systems. This enables installing persistent threats on the affected systems, such as malware, virtualized rootkits, or disk drive firmware malware. It is perfect for large-scale cyberwarfare.
Source: https://www.ssh.com/vulnerability/intel-amt/
Tomi Engdahl says:
Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)
https://mattermedia.com/blog/disabling-intel-amt/
Tomi Engdahl says:
SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security
http://caslab.csl.yale.edu/workshops/hasp2016/HASP16-09_slides.pdf
Tomi Engdahl says:
Intel’s Management Engine is a security hazard, and users need a way to disable it
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
Intel’s CPUs have another Intel inside.
Since 2008, most of Intel’s chipsets have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.
Tomi Engdahl says:
Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls
https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/
Microsoft’s security team has come across a malware family that uses Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.
Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer’s networking stack, so local firewalls or security products won’t be able to detect or block the malware while it’s exfiltrating data from infected hosts.
Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.
Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers
Tomi Engdahl says:
Intel AMT bug bit Siemens industrial PCs
Patches issued for 38 products, plus bonus Web portal bug-fix
https://www.theregister.co.uk/2017/07/03/intel_amt_bug_bit_siemens_industrial_pcs/
You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week.
The bug in Intel’s Active Management Technology emerged in June. It allowed a user to exploit AMT features with an empty login string, and has been shipping in processors since 2010.
In Siemens’s case, 38 product series use vulnerable Intel chipsets (the company lists them in this PDF). They include SIMATIC industrial PCs, SINUMERIK control panels and SIMOTION P320 PCs.
The company has shipped patches for the SIMATIC PCs, but is still working on the control panel products.
https://support.industry.siemens.com/cs/document/109747626/updating-the-intel-management-engine-bios-extension-for-simatic-ipcs-and-simatic-field-pgs?dti=0&lc=en-WW
Tomi Engdahl says:
Intel ME controller chip has secret kill switch
Researchers find undocumented accommodation for government customers
https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/
Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.
Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.
If compromised, it becomes a backdoor, giving an attacker control over the affected device.
That possibility set off alarms in May, with the disclosure of a vulnerability in Intel’s Active Management Technology, a firmware application that runs on the Intel ME.
The revelation prompted calls for a way to disable the poorly understood hardware. At the time, the Electronic Frontier Foundation called it a security hazard. The tech advocacy group demanded a way to disable “the undocumented master controller inside our Intel chips” and details about how the technology works.
An unofficial workaround called ME Cleaner can partially hobble the technology, but cannot fully eliminate it.
On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.
HAP stands for high assurance platform. It’s an IT security framework developed by the US National Security Agency
Disabling Intel ME 11 via undocumented mode
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
Tomi Engdahl says:
Deep dive into Intel Management Engine disablement
https://puri.sm/posts/deep-dive-into-intel-me-disablement/
Starting today, our second generation of laptops (based on the 6th gen Intel Skylake platform) will now come with the Intel Management Engine neutralized and disabled by default. Users who already received their orders can also update their flash to disable the ME on their machines.
In this post, I will dig deeper and explain in more details what this means exactly, and why it wasn’t done before today
Think of the ME as having 4 possible states:
Fully operational ME: the ME is running normally like it does on other manufacturers’ machines (note that this could be a consumer or corporate ME image, which vary widely in the features they ‘provide’)
Neutralized ME: the ME is neutralized/neutered by removing the most “mission-critical” components from it, such as the kernel and network stack.
Disabled ME: the ME is officially “disabled” and is known to be completely stopped and non-functional
Removed ME: the ME is completely removed and doesn’t execute anything at any time, at all.