Intel AMT Vulnerability (CVE-2017-5689)

What is CVE-2017-5689?

CVE-2017-5689 is a vulnerability in the Intel Active Management Technology. It allows an unprivileged network attacker to gain system privileges to provisioned Intel manageability SKUs like Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on AMT, ISM and Intel Small Business Technology (SBT).1

Note that only AMTs with firmware version 6.x and above are affected.

Intel describes AMT as a feature of Intel Core processors with VPro technology and Intel Xeon processors. This feature allows IT or managed service providers to better discover, repair and protect their networked computing assets.2

How to detect if I am affected?

Well, there are different ways to check if you are detected, but I would go with them all. First: Intel has released a detection guide for this issue: https://downloadcenter.intel.com/download/26755

But sadly their detection tool runs only on Windows 7 and Windows 10. So here are other ways to detect if you are affected by it:

One way is to check for the right chipset. You can search in lspci for the following buzzwords:

  • MEI
  • KT
  • IDER
  • HECI

But this alone, is not a garantuee. It is possible that lspci has problems with detecting one of those and even if you have one of those they can be disabled (so no need for panic).

Another way is to simply check your bios for this feature. You can do this in the BIOS settings or via dmidecode and searching for your processor on some Intel pages or the web.

If you want to scan your personal network for devices with this vulnerability you can use nmap for it:

nmap -p16992,16993,16994,16995,623,664 <target range>

this doesn’t include the host who runs nmap

This will scan for open ports, because if AMT is enabled correctly it will spawn a webserver on one of these ports.3

There is also a CVE-2017-5689 detector written in python:

https://github.com/CerberusSecurity/CVE-2017-5689

Some companies have also released security bulletins:

AMT is also a part of the following chipsets:

Q57, Q67, Q77, Q87, Q170, Q65, B65, Q75, B75, Q85, B85, Q150, B150, Q250, B250.

Matthew Garret wrote more about this vulnerability: https://mjg59.dreamwidth.org/48429.html

He has also created a tool for linux that detects Intel AMTs: https://github.com/mjg59/mei-amt-check

How to mitigate this?

Intel has released a mitigation guide for this vulnerability: https://downloadcenter.intel.com/download/26754

Another way is to disable it in the BIOS or with pressing CTRL+P while booting when the AMT message is displayed.

How does the vulnerability look like in detail?

The company emedi has released their proof of concept for CVE-2017-5689:

https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf


445 Words

2017-05-05 12:13 +0000