Intel AMT security best practices

May 30, 2019 ~ hucktech ~ Leave a comment

Instead of the ‘disable it and presume everything is fine’ approach, I’ve been looking around for something like an Intel AMT/ME Security Best Practices document, to help sysadmins (and end users) secure that processor as much as possible. A friend at Intel found this, closest-fit document, with AMT configuration information, that is interesting to read. First released in 2015, last updated Janurary 2019.

Deployment GUIDE
Intel® Setup and Configuration Software (Intel® SCS)

This deployment guide is an instructional document providing simple steps to enable the discovery, configuration and maintenance of Intel® Active Management Technology (Intel® AMT) platforms using Intel® Setup and Configuration Software (Intel® SCS). Intel® AMT operates independently of the CPU and the firmware is delivered in an un-configured state. Intel® SCS is provided by Intel to support the setup and configuration of the firmware for the target environment and enable remote, out-of-band access to Intel® AMT features. Guidance is provided to enable a baseline implementation of Intel® AMT and identifies common configuration settings to support an enterprise deployment that take advantage of the manageability and security features available on platforms that support Intel® AMT and Intel® Standard Manageability. After configuration, Intel® AMT systems can be remotely managed by products, toolsets and solutions including Microsoft System Center Configuration Manager, Microsoft PowerShell, and Intel® Manageability Commander.

Click to access Intel_SCS_Deployment_Guide.pdf

The Death Metal Suite: a toolkit designed to exploit Intel AMT’s legitimate features

April 10, 2019 ~ hucktech ~ Leave a comment

“DeathMetal is a suite of tools that interact with Intel AMT…a foray into a world filled with intrigue & reversing puzzles with useful results.
Since this is super serious, tools are named after Metalocalypse characters.”
Good stuff ⁦@coalfirelabs⁩ https://t.co/ZDt0d3RPjW

— Russ McRee (@holisticinfosec) April 10, 2019

Weaponizing AMT with Python – https://t.co/VBodemIO2u

— Victor Teissler (@VTeissler) April 9, 2019

[…]Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software. I liken AMT to “lolbins,” which is a short form of “living off the land binary,” but instead of operating at a software level, Death Metal operates from a hardware level. With the Death Metal suite, we are essentially misusing and abusing mainstream commercial functionality in unexpected ways. Within the information security community, attacks against AMT itself are not news; however, Death Metal will introduce new ways to begin attacking the AMT framework in a practical, red-team fashion.[…]

https://github.com/Coalfire-Research/DeathMetal/blob/master/README.md

https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite

Intel-SA-00112: Q1’18 AMT 9.x/10.x/11.x Security Review Cumulative Update

July 11, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/11/intel-releases-a-dozen-new-security-advisories/

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience. As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.[…]

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html

MeshCmd: new Intel AMT command line tool

March 23, 2018 ~ hucktech ~ Leave a comment

Intel has a new AMT command line tool — not a GUI! — for Windows and Linux:

https://software.intel.com/en-us/blogs/2018/03/22/meshcmd-new-intel-amt-command-line-tool

http://www.meshcommander.com/

Lenovo: Intel AMT MEBx Access Control Bypass

February 10, 2018 ~ hucktech ~ Leave a comment

Intel Active Management Technology MEBx Access Control Bypass
2018-02-08
Initial Release

Scope of Impact: Industry-wide
Lenovo Security Advisory: LEN-19568
Potential Impact: Remote access and control
Severity: Critical

Intel has issued an advisory for Intel vPro Active Management Technology (AMT) to all system manufacturers. The Intel AMT default configuration has weak security around the Management Engine BIOS Extension (MEBx) password.[…]

ThinkPad – Updates coming soon
ThinkServer- Researching

https://support.lenovo.com/us/en/solutions/LEN-19568

https://sintonen.fi/advisories/intel-active-management-technology-mebx-bypass.txt

https://www.intel.com/content/www/us/en/support/articles/000020917/software/manageability-products.html

Click to access Intel_AMT_Security_Best_Practices_QA.pdf

http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html

F-Secure: new Intel AMT security issue

January 12, 2018 ~ hucktech ~ Leave a comment

NEW RESEARCH: Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptopshttps://t.co/gYJrFoyxL1 https://t.co/Z8oJhpoBc7

— WithSecure™ (@WithSecure) January 12, 2018

https://press.f-secure.com/2018/01/12/intel-amt-security-issue-lets-attackers-bypass-login-credentials-in-corporate-laptops/

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally. The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”[…]

Intel MeshCommander (AMT tool): now available for Mac and Linux (not just Windows)

January 9, 2018 ~ hucktech ~ Leave a comment

Meshcommander is an Intel AMT tool from Intel. Previously, I thought it was a Windows-only thing, but the current release has Linux and Mac support as well as Windows!

https://software.intel.com/en-us/blogs/2018/01/08/meshcommander-for-npm-linux-osx-windows

http://www.meshcommander.com/meshcentral2

http://www.meshcommander.com/meshcommander

https://www.npmjs.com/package/meshcommander

Hack.lu 2017 Intel AMT: Using & Abusing the Ghost in the Machine by Parth Shukla

October 27, 2017 ~ hucktech ~ Leave a comment

Practical AMT provisioning "evil maid" attack and detection/prevention by @pparth of Google's enterprise infra protection team #hacklu https://t.co/jXt8SOrlw5

— Yuriy Bulygin (@c7zero) October 27, 2017

My #hacklu presentation on Intel AMT: Using and Abusing the Ghost in the Machine: https://t.co/OgwSf00bpb @hack_lu

— Parth Shukla (@pparth) October 19, 2017

Intel MeshCentral2 updated with Load Balancer & Peering Support

September 22, 2017 ~ hucktech ~ Leave a comment

Intel has released an updated version of MeshCentral2, an Intel AMT-based management tool for Windows. New version has “server peering” support, which I confess I don’t yet understand what that means, but sounds signficant, something to learn about…

[…]MeshCentral2 is a free open source web-based remote computer management solution allowing administrators to setup new servers in minutes and start remotely controlling computers using both software agent and Intel® AMT. The server works both in a LAN environment and over the Internet in a WAN setup. Now, I just released a new version with support for server-to-server peering allowing for improved fail-over robustness and scaling. Some technical details:

* Servers connect to each-other using secure web sockets on port 443. This is just like browsers and Mesh agents, so you can setup a fully working peered server installation with only port 443 being open.
* Server peering and mesh agent connections use a secondary authentication certificate allowing the server HTTPS public certificate (presented to browser) to be changed. This allows MeshCentral2 peer servers to be setup with different HTTPS certificates. As a result, MeshCentral2 can be setup in a multi-geo configuration.
* All of the peering is real-time. As servers peer together and devices connect to the servers, users see a real-time view on the web page of what devices are available for management. No page refresh required.
* MeshCentral2 supports TLS-offload hardware for all connections including Intel® AMT CIRA even when peering. So, MeshCentral2 servers can benefit from the added scaling of TLS offload accelerators.
* Fully support server peering for Browsers, Mesh Agents and Intel® AMT connections.
* The server peering system does not use the database at all to exchange state data. This boosts the efficiency of the servers because the database is only used for long term data storage, not real time state.
* There is no limit to how many servers you can peer, however I currently only tested a two server configuration.

https://software.intel.com/en-us/blogs/2017/09/21/meshcentral2-load-balancer-peering-support

http://www.meshcommander.com/meshcentral2

Intel AMT developer documentation updated

September 5, 2017 ~ hucktech ~ Leave a comment

Intel has updated documentation on developing for Intel AMT:

https://software.intel.com/en-us/articles/developing-for-intel-active-management-technology-amt

http://www.meshcommander.com/meshcommander

https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander

Intel AMT Upgradable to Vulnerable Firmware

September 5, 2017 ~ hucktech ~ Leave a comment

Intel AMT® Upgradable to Vulnerable Firmware
Intel ID: INTEL-SA-00082
Product family: Intel AMT®
Impact of vulnerability: Elevation of Privilege
Severity rating: Moderate
Original release: Sep 05, 2017
Last revised: Sep 05, 2017

Intel® Active Management Technology, Intel® Standard Manageability, and Intel® Small Business Technology firmware versions 11.0.25.3001 and 11.0.26.3000 can be upgraded to firmware version 11.6.x.1xxx which is vulnerable to CVE-2017-5689 and can be performed by a local user with administrative privileges.This version of firmware can potentially impact Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). Consumer PCs with consumer firmware and data center servers using Intel® Server Platform Services are not affected by this vulnerability. Intel recommends that users contact their system manufacturers for updated firmware which mitigates this issue. This issue was discovered during Intel internal validation.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00082&languageid=en-fr

Embedi on Intel AMT vulnerability

August 24, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/_embedi_/status/900755346595213312

https://embedi.com/news/adventure-final-intel-amt-problem

Click to access HITB_2017.pdf

Intel AMT PoC for CVE-2017-5698

July 28, 2017 ~ hucktech ~ Leave a comment

CVE-2017-5698 (Intel AMT) exploit https://t.co/c6gGBUg0VC

— Dmitriy Evdokimov (@evdokimovds) July 28, 2017

Our slides "Intel AMT. Stealth breakthrough" published! https://t.co/tL3DKpTJHc

— Dmitriy Evdokimov (@evdokimovds) July 28, 2017

Intel AMT authentication bypass example: This is a Proof-of-Concept code that demonstrates the exploitation of the CVE-2017-5689 vulnerability. It is essentialy a mitmproxy script that simply blanks an Authorization header “response” field. Example usage:

mitmdump -p 8080 -dd –no-http2 -s blank_auth_res

https://github.com/embedi/amt_auth_bypass_poc

Look here for presentation and white paper links:
https://www.embedi.com/news/intel-amt-some-new-stealth-vector-attacks-and-good-old-vulnerabilities

Gigabyte update for Intel AMT vulnerability

July 13, 2017 ~ hucktech ~ Leave a comment

https://www.gigabyte.com/Press/News/1562

GIGABYTE Updating BIOS for Q270 and Q170 Series Motherboards in Response to Intel Updates

2017/07/12

Taipei, Taiwan, July 12th, 2017 – GIGABYTE TECHNOLOGY Co. Ltd., a leading manufacturer of motherboards and graphics cards, announces that it is in the process to update BIOS for Q270, Q170, and X170-WS ECC Series Motherboards. Based on latest Intel ME firmware updates, GIGABYTE will update BIOS for Q270 and models of previous chipsets accordingly to ensure the models meet latest security standards. GIGABYTE updated the BIOS for X170, X150, B150 and B250 models that are already available on GBT website. On the other hand, GIGABYTE is also updating Q87, Q85, B85, and other impacted models. The updates will be available shortly on the GBT website. For updates to these Motherboards please visit their respective product pages or speak with your technical support team for assistance. GIGABYTE strives to make sure users receive the best-in-class performance while maintaining the upmost security for all products.

http://techreport.com/news/32237/gigabyte-begins-rolling-out-bios-updates-to-close-intel-amt-hole

GIGABYTE Issues BIOS Update to Fix Intel Manageability Firmware Vulnerability

Intel AMT and JavaScript

July 12, 2017 ~ hucktech ~ Leave a comment

Nice, we can put our own JS in AMT11 now! https://t.co/aYnDo4iGRc

— Igor Skochinsky (@IgorSkochinsky@infosec.exchange) (@IgorSkochinsky) July 12, 2017

Now that Intel® AMT 11.6 is released, it’s finally time to circle back and highlight a big new feature of 11.6 that has been in the works for a long time: Web Storage and the ability for the default Intel® AMT web UI to be replaced. Ever since the start, Intel® AMT has always had a basic web page you could access with any browser. Because it’s all out-of-band, you could access the web page from a browser even if the target computer was soft-off, sleeping or had a non-functioning operating system. Over the last 10 years, the web has come a long way. The built-in Intel® AMT web page offers basic capabilities, but we can do a lot better now with HTML5 and WebSockets.[…]

https://software.intel.com/en-us/blogs/2017/02/13/meshcommander-v044-released

https://software.intel.com/en-us/search/site/language/en?query=AMT

Paul’s Intel AMT overview

July 3, 2017 ~ hucktech ~ Leave a comment

A few days ago, Paul English of PreOS Security wrote a blog post giving an brief overview of the recent Intel AMT vulnerability.

[Note: We’re going to try and post a blog entry for major firmware vulnerabilities that impact enterprises, and the recent Intel AMT vulnerability seems like a good place to start.]

http://preossec.com/blog/2017/06/17/intel-amt-cve/

[Disclaimer: I work with Paul, at PreOS Security.]

Siemens updates for Intel AMT

July 3, 2017 ~ hucktech ~ Leave a comment

Siemens has updated their products for Intel AMT vulnerability:

Apparently Siemens patched Intel AMT vuln Looks like AMT common on industrial controllers /cc @_embedi_ @evdokimovds https://t.co/wnayUJTcIp

— Alex Matrosov (@matrosov) July 2, 2017

Click to access siemens_security_advisory_ssa-874235.pdf

Siemens Patches Critical Intel AMT Flaw in Industrial Products

https://www.theregister.co.uk/2017/07/03/intel_amt_bug_bit_siemens_industrial_pcs/

Intel AMT Clickjacking Vulnerability (INTEL-SA-00081)

June 9, 2017 ~ hucktech ~ Leave a comment

Today Intel announced a NEW AMT security advisory:

Intel® AMT Clickjacking Vulnerability
Intel ID: INTEL-SA-00081
Product family: Intel® Active Management Technology
Impact of vulnerability: Information Disclosure
Severity rating: Moderate
Original release: Jun 05, 2017

Insufficient clickjacking protection in the Web User Interface of Intel® AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 potentially allowing a remote attacker to hijack users’s web clicks via attacker’s crafted web page. Affected products: Intel AMT firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205. Intel highly recommends that users update to the latest version of firmware available from their equipment manufacturer. Intel would like to thank Lenovo for reporting this issue and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr

More on malware use of Intel AMT

June 9, 2017 ~ hucktech ~ Leave a comment

After the recent Microsoft mention of AMT being used by malware, there is a bit more on the press on AMT:

Just another covert channel (cooperation on both ends required), only with the help of AMT.. But also: unexpected attack surface on the OS! https://t.co/Jz74C6SZFS

— Joanna Rutkowska (@rootkovska) June 9, 2017

Remember that time we showed using AMT SOL for C2 from SMM…? https://t.co/cP8tYtT5hE section 6.2 https://t.co/Fdtrwq59fP

— Xeno Kovah (@XenoKovah) June 9, 2017

https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

Microsoft on malware use of Intel AMT

June 7, 2017 ~ hucktech ~ Leave a comment

PLATINUM attackers can use Intel AMT SOL for stealthy C2 even with network cards disabled. Analysis and demo at https://t.co/Gx5MrfkGe9 pic.twitter.com/JhMJgDzQwE

— Microsoft Threat Intelligence (@MsftSecIntel) June 7, 2017

If you thought the recent Intel AMT security issues was just theoretical, here’s an example of malware using AMT.

https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?platform=hootsuite