Fix Those Pesky Hacking Holes in Intel AMT

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,601
Last week Intel let us all know that its Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability products have an "elevation of privilege" issue that basically allows a "hacker" to enter a blank password into the AMT's web browser interface. This is obviously an issue, however Intel has stated that it is not a problem with consumer based PCs. So all you admins take notice!

There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs with consumer firmware, Intel servers utilizing Intel® Server Platform Services (Intel® SPS), or Intel® Xeon® Processor E3 and Intel® Xeon® Processor E5 workstations utilizing Intel® SPS firmware.

Head over and check out Intel's Detection Guide as well as an identification tool.

The INTEL-SA-00075 Discovery Tool can be used by local users or an IT administrator to determine whether a system is vulnerable to the exploit documented in Intel Security Advisory INTEL-SA-00075. It is offered in two versions.
 
My Dell 2012 R2 server comes up with a status of "Unknown" with the Discovery Tool.
Thanks Intel, that was helpful.

.
 
My Latitude E6420 shows vulnerable (it's obviously business class hardware) but I already knew that, question now is whether or not Dell will give enough of a damn for such older hardware to release the patch once Intel creates it.
 
While I am not condoning use of this tool.....

http://www.majorgeeks.com/files/details/disable_intel_amt.html

Disable Intel AMT is a portable batch file to turn off a known Intel Active Management Technology (AMT) vulnerability with many Intel chipsets in Windows. Video guide available. On 02 May 2017, "Embedi" discovered "an escalation of privilege vulnerability in Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products". Well, that was wordy! In other words, the short version is that your machine may be vulnerable to hackers due to a vulnerability with your Intel processor. While we expect Intel to address this issue, for now, this will patch the vulnerability.
 
The Disable AMT executable gives me this in the log, so looks like it's good.

2017-05-07 22:37:20:(ERROR) : ACU Configurator , Category: Error message: The Intel(R) Management Engine Interface driver is not installed or cannot be accessed. (0xc000001f)
2017-05-07 22:37:20:(WARN) : ACU Configurator, Category: Exit: ***********Exit with code 2 - Intel(R) AMT is already unconfigured on this system.

Thanks Kyle!

.
 
I really want to see if these repair tools are logging in with the exploit then fixing it. I'm sure none of the intelligence agencies touched this exploit... For that matter they could have just enabled it to gain access.
 
Tried to run it on two PCs and it crashes right away. Not sure what that indicates. I'm going to try a few more and see if it works. AFAIK we never enabled this and it came disabled from the factory.
 
Sp33dFr33k said:
Tried to run it on two PCs and it crashes right away. Not sure what that indicates. I'm going to try a few more and see if it works. AFAIK we never enabled this and it came disabled from the factory.
Click to expand...
Same issue here--both the command-line and GUI utilities crash for me.
 
Intel has stated that it is not a problem with consumer based PCs.
Click to expand...

I really wish I knew what this meant, considering our Dell OptiPlex and Latitudes are affected.
Surely they don't use a different CPU or chipset than the Inspiron series.
 
Consumer would mean Inspiron and Dimension models, which are unaffected.

Optiplex and Latitudes are business line. So are Precisions.

That said...the only models I've found in my environment that are affected have been Latitude E5430s, and HP EliteBook 9470ms that were both 3rd generation i5s.

Older and newer systems have been either unknown, or have said they weren't affected.

We don't use AMT here, and I don't foresee Dell or HP rushing to update 5 year old hardware. So, I'll look into disabling.
 
Are the machines actually vulnerable, or only impacted due to having the vulnerable ME firmware version?
Intel has been extremely unclear on what's actually necessary to exploit the vulnerability.

eg, our fleet has the feature enabled in the BIOS. But, it was never configured. There are also about 200 machines with the software running, therefore LMS service running.
Yet, I am unable to connect to any of the documented ports; both remotely and locally. Though Intel's own discovery utility for detecting the vulnerability says we're vulnerable.

Wording from the tool is stupid:
Based on the version of the ME, the System is Vulnerable.
 
From what I'm able to tell, you have to have a vulnerable version of ME, the AMT software installed, and the LMS service enabled. it would seem that as we don't use AMT, and the few computers that have a vulnerable system have no LMS, we should be ok.

but I worry about the servers and other systems that show unknown.
 
All my newer server hardware, and all the dell and HP gear show as vulnerable.

But, as they are all running XP or XP64server, they aren't on the open interweb anymore. :)

So, no real probs for me; hell, I'll use it.
 
Dell Precision T3500 with X5672 shows "unknown."
 
burritoincognito said:
From what I'm able to tell, you have to have a vulnerable version of ME, the AMT software installed, and the LMS service enabled. it would seem that as we don't use AMT, and the few computers that have a vulnerable system have no LMS, we should be ok.

but I worry about the servers and other systems that show unknown.
Click to expand...

It appears that you also need to have configured AMT.
It may not be vulnerable simply by being enabled; regardless of the LMS service.

We have 200 some machines left that did get the software installed, and so have the service running.
The couple I spot checked, while netstat showed they were listening on 16992 and 623, these ports were not actually accessible remotely or locally.
 
gimp said:
... these ports were not actually accessible remotely or locally.
Click to expand...

Anyone that allows random ports to talk is just asking for trouble; it's amazing how much Crap wants to phone home...
 
That DisableAMT tool thing doesn't have an effect on my Latitude E6420, at least as far as Intel's diagnostic tool seems to say I'm still vulnerable but I don't know if that means it says that simply because this chipset of mine is one of the vulnerable ones and it's not checking to see if the AMT is enabled or not, who knows.
 
Tiberian said:
That DisableAMT tool thing doesn't have an effect on my Latitude E6420, at least as far as Intel's diagnostic tool seems to say I'm still vulnerable but I don't know if that means it says that simply because this chipset of mine is one of the vulnerable ones and it's not checking to see if the AMT is enabled or not, who knows.
Click to expand...

The Intel tool is absolutely useless.
It reports: Based on the version of the ME, the System is Vulnerable.

It only looks at the version of Management Engine to determine whether or not the system is vulnerable. Yeah, it's shit since that's all it looks at.
 
You must log in or register to reply here.
Back
Top