Intel AMT Vulnerability (CVE-2017-5689)
What is CVE-2017-5689?
CVE-2017-5689 is a vulnerability in the Intel Active Management Technology. It allows an unprivileged network attacker to gain system privileges to provisioned Intel manageability SKUs like Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on AMT, ISM and Intel Small Business Technology (SBT).1
Note that only AMTs with firmware version 6.x and above are affected.
Intel describes AMT as a feature of Intel Core processors with VPro technology and Intel Xeon processors. This feature allows IT or managed service providers to better discover, repair and protect their networked computing assets.2
How to detect if I am affected?
Well, there are different ways to check if you are detected, but I would go with them all. First: Intel has released a detection guide for this issue: https://downloadcenter.intel.com/download/26755
But sadly their detection tool runs only on Windows 7 and Windows 10. So here are other ways to detect if you are affected by it:
One way is to check for the right chipset. You can search in lspci for
the following buzzwords:
- MEI
- KT
- IDER
- HECI
But this alone, is not a garantuee. It is possible that lspci has
problems with detecting one of those and even if you have one of those
they can be disabled (so no need for panic).
Another way is to simply check your bios for this feature. You can do
this in the BIOS settings or via dmidecode and searching for your
processor on some Intel pages or the web.
If you want to scan your personal network for devices with this vulnerability you can use nmap for it:
nmap -p16992,16993,16994,16995,623,664 <target range>
this doesn’t include the host who runs nmap
This will scan for open ports, because if AMT is enabled correctly it will spawn a webserver on one of these ports.3
There is also a CVE-2017-5689 detector written in python:
https://github.com/CerberusSecurity/CVE-2017-5689
Some companies have also released security bulletins:
- https://support.hp.com/us-en/document/c05507350
- https://communities.intel.com/thread/114093
- https://communities.intel.com/thread/114092
- https://communities.intel.com/thread/114071
- http://support.ts.fujitsu.com/content/Intel_Firmware.asp
AMT is also a part of the following chipsets:
Q57, Q67, Q77, Q87, Q170, Q65, B65, Q75, B75, Q85, B85, Q150, B150, Q250, B250.
Matthew Garret wrote more about this vulnerability: https://mjg59.dreamwidth.org/48429.html
He has also created a tool for linux that detects Intel AMTs: https://github.com/mjg59/mei-amt-check
How to mitigate this?
Intel has released a mitigation guide for this vulnerability: https://downloadcenter.intel.com/download/26754
Another way is to disable it in the BIOS or with pressing CTRL+P while
booting when the AMT message is displayed.
How does the vulnerability look like in detail?
The company emedi has released their proof of concept for CVE-2017-5689:
https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689 ↩︎
https://www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html ↩︎
https://unix.stackexchange.com/questions/362686/how-to-detect-and-mitigate-the-intel-escalation-of-privilege-vulnerability-on-a ↩︎