Uncategorized

Intel AMT, continued

Matthew Garrett has a new tool to check for AMT on Linux:

If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689. Disable AMT in your system firmware.

https://github.com/mjg59/mei-amt-check

A little bird told me some info about Intel AMT and Linux:

* Some BMC/IPMI devices also listen on port 623 because they support the same asf-rmcp protocol. So if you are using nmap to scan networks you may see false positives from these devices.

* The Intel OpenAMT tool can be used on Linux to determine if AMT is enabled. The procedure is something like:
  * build with: ./configure;make
  * on the system to test, load the mei modules with: modprobe mei-me
  * run the src/lms binary (only uses standard libraries, no need to ‘make install’)
  * check daemon.log, not enabled should be something like “LMS: Cannot connect to Intel AMT via MEI driver”
  * clean up by killing the running lms process, removing the lms binary, and unloading the mei modules: rmmod mei-me mei
https://sourceforge.net/projects/openamt/

* On Linux, blacklisting the mei-me/mei modules will prevent local access to AMT, but doesn’t help if it’s already enabled.

Standard
Uncategorized

Intel AMT story, continued

A little bit more (warning: a few of these are related to Intel ME hardware, not Intel AMT firmware):

Rumor has it that OpenAMT can also be used for AMT detection:
https://sourceforge.net/p/openamt/wiki/Home/

AMT advisory from ASUS:
https://www.asus.com/News/uztEkib4zFMHCn5r

http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/

https://community.rapid7.com/community/nexpose/blog/2017/05/11/on-the-lookout-for-intel-amt-cve-2017-5689

http://www.govinfosecurity.com/intels-amt-flaw-worse-than-feared-a-9901

Is Intel’s Management Engine Broken?

 

Standard
Uncategorized

Intel AMT story, continued

https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

https://github.com/CerberusSecurity/CVE-2017-5689

https://github.com/chipsec/chipsec/issues/212

https://support.lenovo.com/us/en/product_security/len-14963

http://en.community.dell.com/support-forums/laptop/f/3518/p/20011922/20995860

http://en.community.dell.com/techcenter/extras/m/white_papers/20443914

http://en.community.dell.com/techcenter/extras/m/white_papers/20443937

https://support.hp.com/us-en/document/c05507350

https://community.qualys.com/thread/17263-qids-or-scanning-advice-for-intel-amt-sa-00075

https://www.tenable.com/sc-dashboards/intel-sa-00075-detection

https://www.tenable.com/blog/intel-amt-vulnerability-detection-with-nessus-and-pvs-intel-sa-00075

https://vuldb.com/?id.100794

Intel AMT chip bug suspected backdoor, but likely coding error
[…]Some researchers accused the vulnerability of being a backdoor. Tatu Ylonen, the inventor of the Secure Shell protocol told SC Media Charlie Demerjan, the researcher who spotted the flaw, claims to have been in discussions over bug with Intel for years urging them t to fix it. “If his claim is true (I have no reason to doubt it but have no independent evidence), then it begins to sound very much like a backdoor,” Demerjan said. “I mean, if someone knows their product has a vulnerability that undermines the security of pretty much every enterprise server in the world and most security tools, wouldn’t they want to disclose it to the government, one of their biggest customers?”[…]

https://www.scmagazine.com/intel-amt-flaw-likely-just-coding-error/article/655449/

[…]What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option.

http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed

Standard
Uncategorized

Intel AMT story, continued

Business-class personal computers *ARE* impacted.

 

There is an NMap module for AMT now:

https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse

http://thehackernews.com/2017/05/intel-amt-vulnerability.html

https://www.ssh.com/vulnerability/intel-amt/

https://github.com/bartblaze/Disable-Intel-AMT

https://github.com/travisbgreen/intel_amt_honeypot

https://isc.sans.edu/forums/diary/Do+you+have+Intel+AMT+Then+you+have+a+problem+today+Intel+Active+Management+Technology+INTELSA00075/22364/

Standard
Uncategorized

Intel AMT story, continued

https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

https://downloadcenter.intel.com/download/26755

http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf

Standard
Uncategorized

a bit more on the Intel AMT story…

http://www.kb.cert.org/vuls/id/491375

https://mattermedia.com/blog/disabling-intel-amt/

 

“Recently there was a branch of news and comments on Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege – INTEL-SA-00075 (CVE-2017-5689). Maksim Malyutin, a member of our Embedi research team, was first to discover this vulnerability. There has been a lot of disinformation presented as “fact” and a tremendous amount of baseless assumptions being floated around by some media outlets ever since the news was released Intel representatives have asked Embedi to hold off on disclosing any technical details regarding this issue until further notice. The vulnerability is a serious threat and the prevention measures from exploitation is a timely process for users – timely, but necessary.[…]”

https://www.embedi.com/news/mythbusters-cve-2017-5689

http://thehackernews.com/2017/05/intel-server-chipsets.html

Standard