Background on CVE-2017-5689/VU-491375/INTEL-SA-00075 (Intel AMT)

June 17, 2017

[Note: We’re going to try and post a blog entry for major firmware vulnerabilities that impact enterprises, and the recent Intel AMT vulnerability seems like a good place to start.]

Technology Overview:

Quoting Wikipedia, “Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them.[1] Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents.”

Intel AMT is a firmware technology that runs on the Intel ME processor. AMT is normally enabled on servers, but some ‘business-class’ desktops/laptops – such as Thinkpads – also use AMT.

AMT is active even when the operating system is powered off, and the power switch is off, if there is power supply AMT can be running.

AMT can be remotely administrated. If there is a network connection, AMT may be sending network traffic. Normally AMT is considered an ethernet-centric technology, but it appears there are scenerios that AMT also uses WiFi.

Intel ME processor cannot be disabled with tools from Intel. Intel AMT may be disabled in the boot menu.

Vulnerability Background:

Maksim Malyutin of Embedi located the vulnerability.

Tenable also ‘rediscovered’ the vulnerability, both Embedi and Tenable have good technical descriptions of the vulnerability.

The AMT code has a string copy function to check the remote user’s password, and they don’t check the return code, so ANY password will work for ANY user.

Mitigations: * Read list of mitigations from Intel and US-CERT. * Get latest AMT software update from Intel/vendor. * Check Intel announcement for tools to detect and disable. * Disable AMT. * If using AMT, question the need to use it. * Disable AMT in network environments where you cannot fully control the network traffic (eg, mobile AMT-enabled laptop at external wifi hotspot) * Consider some non-Intel community tools to check AMT and ME status. * Isolate any AMT network traffic from public Internet (possible with Ethernet, perhaps not possible with WiFi-enabled business-laptops when roaming (eg, coffee shop). * Set corporate policy regarding AMT use (update policy, disable/enable status).

Beyond the Intel tool, some untested community tools that might be helpful. Beyond detecting current status/informatoin, some of these community tools have features to attempt to disable AMT and/or ME, which may or may not work. Ask your vendor and local hardware expert before touching any of the non-readonly features, they may brick your system if you are not very careful.

Intel AMT aside, if your enterprise uses IPMI, or DMTF SMASH, DMTF DASH, DMTF Redfish, HP iLO, Dell DRAC, IBM Remote Supervisor Adapter, AMI MegaRac, or similar network-enabled OOB pre-OS technologies, you should also check for latest software, and ensure that their network traffic is isolated from attackers.

More Information:

technology background:

Information from the security researcher who discovered the vulnerability:

Information from Intel, including tools:

Subset of community tools:

Selected subset of other sources of information: