Detect and Mitigate Intel AMT vulnerability - gHacks Tech News

Detect and Mitigate Intel AMT vulnerability

A recently disclosed vulnerability in Intel products using Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability gives attackers remote access to the manageability features supported by these products.

First the good news: the vulnerability does not affect (most) consumer PCs with Intel consumer firmware.

These technologies have been created by Intel for remote management of computer systems. Functionality may include monitoring, upgrading, repairing and maintaining compatible devices.

While you may use Intel's own advisory to find out if a computer system is vulnerable, it is easier to use the detection tool the company created and published for that instead.

You can download the tool from Intel's website, and may run it on all Windows versions starting with Windows 7. The program is portable, and it will tell you right away whether your system is vulnerable or not.

intel vulnerability

Note: Intel has published a guide to manually find out whether a system is vulnerable or not.

If the computer is not vulnerable, then you are done as there is nothing else to do. If the system is vulnerable however, you have one or two options depending on whether the manufacturer of the device has published an updated firmware already.

  1. First option is to check whether updated firmware has been released. If that is the case, update the firmware to plug the security vulnerability. You find the list of firmware updates on Intel's advisory page.
  2. If no firmware is available, you may use the third-party tool Disable Intel AMT, or one of Intel's suggested options described in the mitigation guide.

Disable Intel AMT is a basic batch file for Windows that renames the LMS.exe (Intel Local Management Service) binary so that it won't run anymore.

Intel's own solution requires multiple steps to complete. First, the unprovisioning of any provisioned system, then the disabling or deleting of the LMS service, and optionally configuring local manageability configuration restrictions.

Unconfiguring a system in CCM: ACUConfig.exe UnConfigure
Unconfiguring a system in ACM without RCS integration: ACUConfig.exe UnConfigure /AdminPassword <password> /Full
Unconfiguring a system with RCS integration: ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full

Intel published an unprovisioning tool which administrators may used if the above commands cannot be executed.

System administrators may also disable or remove LMS in the following way:

  1. Tap on the Windows-key, type cmd.exe, hold down the Shift-key and the Ctrl-key, and hit the Enter-key. This opens an elevated command prompt.
  2. To disable LMS: sc config LMS start= disabled
  3. To delete LMS: sc delete LMS

The vulnerability

If AMT is enabled, users may sign in locally or remotely.  Intel uses HTTP Digest authentication for that, and anything that a user enters is computed to a hash and then authenticated by the interface.

The researchers discovered that the verification process that Intel implemented is flawed, as it accepts partial hashes or even an empty string. All an attacker requires therefore is knowledge of a working user account to sign in without knowing the correct password. (via Born)

Summary
Detect and Mitigate Intel AMT vulnerability
Article Name
Detect and Mitigate Intel AMT vulnerability
Description
Find out if computer systems are vulnerable to the Intel AMT, ISM and ME vulnerability, and how to patch or mitigate the security issues.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Norm said on May 8, 2017 at 1:36 pm
    Reply

    I used the manual guide and found “Intel Management & Security Application Local Management Service” running in
    Services, and then downloaded the INTEL-SA-00075 Discovery Tool and ran it. The tool showed “Not Vulnerable”.
    So… maybe I don’t have this vulnerability. Great info as always Martin, thanks.

  2. Mike O said on May 8, 2017 at 1:47 pm
    Reply

    I ran the command “sc config LMS start=disabled” on my Thinkpad and it did not work. A warning indicated there must be a space between the equal sign and the value. The command should be “sc config LMS start= disabled”. After reentering the command with that space; success.

    1. Martin Brinkmann said on May 8, 2017 at 3:24 pm
      Reply

      Mike, thank you very much. A space is required between an option and its value, as indicated here on Technet (https://technet.microsoft.com/en-us/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_examples) I have corrected the command.

  3. Shiro said on May 8, 2017 at 2:28 pm
    Reply

    Any problems on a Linux server?

    1. Martin Brinkmann said on May 8, 2017 at 3:31 pm
      Reply
      1. Shiro said on May 8, 2017 at 5:54 pm
        Reply

        So, how do you test and fix it on Linux? The description and tool above is for Win only I believe, does anyone with Linux expertise know?

      2. Corky said on May 8, 2017 at 6:40 pm
        Reply
    2. ecfx said on May 9, 2017 at 8:41 pm
      Reply

      For linux: scan for IAMT open ports from another computer in lan.

      nmap -p16992,16993,16994,16995,623,664 192.168.xxx.xxx

      you will get something like this if IAMT working it is found:
      PORT STATE SERVICE
      623/tcp closed oob-ws-http
      664/tcp open secure-aux-bus
      16992/tcp open amt-soap-http
      16993/tcp open amt-soap-https
      16994/tcp closed unknown
      16995/tcp open unknown

      then:
      curl -sS http://192.168.xxx.xxx:16992 -i

      to check IAMT version and you will receive something like this:

      HTTP/1.1 303 See Other
      Location: /logon.htm
      Content-Length: 0
      Server: Intel(R) Active Management Technology 10.0.38

      This is vulnerable but can be mitigate by changing default admin name account to something random so attacker will not know the admin account name to exploit it.

      1. Shiro said on May 9, 2017 at 9:35 pm
        Reply

        @corky @ecfx, thanks!

  4. craetetr said on May 8, 2017 at 8:49 pm
    Reply

    Can you give full ATM’s CPUs list?

    1. Corky said on May 9, 2017 at 10:20 am
      Reply

      Technically it’s any CPU that uses vPro, it’s best if you check specific CPUs due to vPro as the list would be took long due to it being included in CPUs since 2008.

      Having said that it’s very unlikely that even if you did have a CPU that supported vPro that your average consumer would be effected by this, not only because vPro is mainly used in workstation CPUs (Xenon and some mobile CPUs) but also because you’d have to meet the following requirements.

      1) A supported CPU
      2) A supported chipset
      3) Supported network hardware
      4) The ME firmware to contain the AMT firmware

      The following link gives a fairly well balanced overview of vulnerability.
      https://mjg59.dreamwidth.org/48429.html

  5. ecfx said on May 9, 2017 at 5:56 pm
    Reply

    For Linux, scan from another computer in LAN, scan will not work for your own host because you probably don’t have LMS driver.

    nmap -p16992,16993,16994,16995,623,664 192.168.xxx.xxx

    response can be something like this:

    PORT STATE SERVICE
    623/tcp closed oob-ws-http
    664/tcp open secure-aux-bus
    16992/tcp open amt-soap-http
    16993/tcp open amt-soap-https
    16994/tcp closed unknown
    16995/tcp open unknown

    then you can probe the open ports to see the IAMT version like this:

    curl -sS http://192.168.xxx.xxx:16992 -i

    and you will get something like this:

    HTTP/1.1 303 See Other
    Location: /logon.htm
    Content-Length: 0
    Server: Intel(R) Active Management Technology 10.0.38

    that it is vulnerable.

    Until a new BIOS upgrade – if you are lucky to get a new BIOS – you can mitigate by renaming default admin account to something random. Uninstall LMS drivers in windows. This vulnerability will not allow escalation of account rights only login to a know account name.
    For more info about this mitigation check this:
    https://forum.pfsense.org/index.php?topic=130046.msg716548
    and this
    https://forums.lenovo.com/t5/forums/v3_1/forumtopicpage/board-id/Security_Malware/thread-id/2678/page/3

    L.

  6. AnorKnee Merce said on May 9, 2017 at 7:28 pm
    Reply

    Besides the vulnerable Intel AMT which is mainly for Remote Management, Intel ME(Management Engine) has the Intel Anti Theft technology for Remote Locking and Data Wipe which may be vulnerable also. Please see …….
    http(semi colon)//www(dot)eweek(dot)com/security/intel-arms-lenovo-thinkpad-laptops-with-new-anti-theft-technology
    (circa 2008)

    Some people have conjectured that the Intel ME (and M$ Win 10) is an NSA backdoor spyware.

    1. AnorKnee Merce said on May 9, 2017 at 8:01 pm
      Reply

      Also, …
      https(semi colon)//www(dot)prisonplanet(dot)com/secret-3g-intel-chip-gives-snoops-backdoor-pc-access.html
      (circa 2013)

    2. ecfx said on May 9, 2017 at 8:35 pm
      Reply

      Intel Anti Theft technology is already discontinued by Intel after their servers was hacked some time ago, it is no longer in use.

      1. AnorKnee Merce said on May 10, 2017 at 7:07 am
        Reply

        @ ecfx

        Yes, the web-based subscription Anti-Theft Service has been discontinued by Intel but the Intel Anti Theft hardware/chipset feature is still present in Intel ME. Eg …….
        http(semi colon)//www(dot)game-debate(dot)com/cpu/index.php?pid=2454&pid2=208&compare=core-i5-7400-3-0ghz-vs-core-i7-920-quad-2-67ghz

    3. Corky said on May 10, 2017 at 1:41 pm
      Reply

      @AnorKnee Merce, you know you can post full URLs without changing : and . to words right?

      Also seeing as the secret 3g Intel chip article you link to leads back to that whack job Alex Jones from Info Wars who admits everything he posts and talks about is just him “Playing a Character” and that “He is a performance artist”, seeing as (afaik) your claim of an NSA backdoor spyware built into Intel chip is based on what a confirmed conspiracy theorists has said you’ll have to forgive me for saying your claim lacks creditability.

  7. Franck said on May 12, 2017 at 6:28 pm
    Reply

    Thanks a lot !

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.