Intel Finally Patches Critical AMT Bug (Kinda)

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Intel Finally Patches Critical AMT Bug (Kinda)

Post by FlyingPenguin »

The press has made a lot of noise about this, and it IS serious, but mainly for corporate network workstations, high-end corporate laptops (like Lenovos) and servers.

This was already a big concern last year and I think I posted my recommendation at the time which is to NEVER use the primary on-board LAN interface on an Intel board. On both my workstation and gaming PC I have a PCI-E LAN card installed and I use that instead. If you have two LAN interfaces on your mobo, use the secondary (non-intel) one.

I also never install the Intel Management Engine Driver. This installs a background service. Not having the IME driver installed alone doesn't totally help, because it's just an OS interface to the AMT and the AMT is embedded in the Intel mobo chipset as microcode in the BIOS, and (most concerning) it runs it's own little server and can see into all system memory and monitor LAN traffic. Again, that's all mitigated by just not using the primary LAN interface.

Those of you responsible for running servers grade motherboard, however, should read up on this and should either do what I recommend above, or check to see if there's a recent firmware update for the mobo that fixes this (however, there's no guarantees that it won't be exploited again someday so I would still use a secondary NIC if you're not actually using AMT). Generally only large corporate networks use AMT and you have to have some kind of desktop management software installed (Altris, LANDesk, MS ConfigMgr).

https://www.darknet.org.uk/2017/05/inte ... bug-kinda/

How To Find Intel® vPro™ Technology Based PCs
https://communities.intel.com/docs/DOC-5693

From Steve Gibson's show notes in the last Security Now episode:
So this is essentially a built-in, hardware based, Ring -3 Rootkit that we have been hoping didn't
have any problems and wouldn't get hacked. On newer systems, ME cannot be disabled. And it
operates completely out-of-band, the OS can’t even scan ME to see if it’s been compromised and
can’t disinfect a hacked ME chip.

Intel rates this as a CRITICAL remotely exploitable.

Wikipedia's page has already been updated:
Intel Active Management Technology (AMT) is hardware and firmware technology for remote
out-of-band management of personal computers, in order to monitor, maintain, update,
upgrade, and repair them. Out-of-band (OOB) or hardware-based management is different from
software-based (or in-band) management and software management agents. Intel has
confirmed and patched a Remote Elevation of Privilege bug(CVE-2017-5689) in its Management
Technology, on 1st May 2017. Every Intel platform with either Intel Standard Manageability,
Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby
Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine).

Wikipedia also notes: Currently, AMT is available in desktops, servers, ultrabooks, tablets, and
laptops with Intel Core vPro processor family, including Intel Core i3, i5, i7, and Intel Xeon
processor E3-1200 product family.

<Intel quote> "There is an escalation of privilege vulnerability in Intel® Active Management
Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology
versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an
unprivileged attacker to gain control of the manageability features provided by these products.
This vulnerability does not exist on Intel-based consumer PCs.

The vulnerability is BOTH remotely and locally exploitable.

LINKS:
How-To Geek: "How to Remotely Control Your PC (Even When it Crashes)"
https://www.howtogeek.com/56538/how-to- ... t-crashes/
How To Find Intel® vPro™ Technology Based PCs
https://communities.intel.com/docs/DOC-5693
http://semiaccurate.com/2017/05/01/remo ... platforms/
https://security-center.intel.com/advis ... geid=en-fr
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Intel Finally Patches Critical AMT Bug (Kinda)

Post by FlyingPenguin »

According to Intel it really should only be servers and workstations that are affected. You would see "vPro" on the Intel processor badge.

They also provide a Detection tool you can run to see if your system is vulnerable to the exploit.

https://downloadcenter.intel.com/download/26755

Image
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply